A report by the Economic Times yesterday suggested that some officials are proposing that WhatsApp should assign and store an alphanumeric hash to each message so as it could be traced back to the originator if it causes unlawful activity. An official who is involved in the traceability discussion said that the government is “willing to work with WhatsApp to come up with a solution to enable traceability of messages without breaking encryption”. However, there are a few problems with this approach. In an end-to-end encrypted system, every message is different for the system as it can’t read your messages. So if you send “Hi” two times, it doesn’t recognize it as the same message. Prasanth Sugathan, Legal Director, Software Freedom Law Centre ( SFLC.in), a New Delhi based organization that concentrates on digital law, said that perpetrators could change the message slightly or simply copy it to cause the change of the hash: In 2018, WhatsApp faced a lot of backlash from India after forwarded messages containing false information caused over 30 lynchings in the nation. However, the company has taken multiple steps to limit forwards, so it would be naive to assume every message moves in a chain. Now if a government identifies a problematic message, and if it requires to find who first sent it, it’s hard to do without reading the content of the chat and breaking encryption in effect. Matthew Hodgson, CEO of Element, a secure messaging app based on the Matrix protocol, said that hashing messages could reduce the privacy of users and undermine the encryption of messaging apps: There’s a possibility that the government might suggest key escrow, a method to give authorized third-party entities access to content without breaking encryption. But as the Clipper Chip case of the US in the 90s suggests, key escrows have many gaping holes in terms of unauthorized usage and security.
— Srinivas Kodali (@digitaldutta) March 21, 2021 Then there is the legal issue of determining if the originator of a message is the culprit. In an interview with Medianama last year, Anyesh Roy, the head of Delhi Police’s Cyber Crime Cell unit, said that WhatsApp provides metadata for law enforcement to catch criminals — but not the originator. In a recent article by Forbes, lawyers noted that India’s rules to determine if the originator is the perpetrator are murky and courts will have to look at them case by case. In another scenario, if a person is sharing illegal content, police would only have information about the person under arrest and who sent them the content. But because hashes are different for different messages, it might be difficult to catch all the people distributing the file. India’s suggestion of hashing messages looks like a half-hearted attempt to solve the distribution of false information at the moment. It has more questions — technically and legally — than answers at the moment. It’s probably time to go back to the drawing board.