When interacting in the digital realm, encryption technology is the first and only line of defence for the netizens. The majority of us do not have access to a virtual private network or any other tool to transact securely. We have been trusting the system. It is for these reasons that cryptographers came out with a solution where we simply have to trust mathematics which by its nature is verifiable. Today, respected messaging platforms have end-to-end encryption baked in their core. The Signal protocol used by the Signal Foundation and WhatsApp, to encrypt our messages, is publicly available on GitHub for experts to verify. This enables the platform to be a dumb conduit that simply facilitates the transaction but cannot read the same. It ensures that we can securely share personal information with our family, doctors, lawyers and business partners, without the fear of a bad actor snooping on us. Due to the Covid-19 pandemic where the world is forced to switch online for basic things such as education, children can also communicate securely by relying on these end-to-end encrypted platforms.
Tackling CSAM by risking user security
While ordinary citizens can rely on end-to-end encryption for secure communication, bad actors use encryption-enabled anonymity to hatch criminal conspiracies. The rise in the adoption of digital technologies has led to the simultaneous growth in online crimes. With a third of the internet users being children, the rise in the proliferation of child sexual abuse material (CSAM) is quite concerning. Motivated to tackle CSAM on encrypted messaging platforms many States have urged for encryption-hostile laws. In that vein, the Indian government legislated the IT Rules 2021 which mandates the platforms to trace the originator of illegal messages. Storing a fingerprint of all messages sent by Indian users undermines the data minimisation principle as enshrined in India’s proposed data protection framework and the mandate in the Puttaswamy judgement which confers every individual a fundamental right to privacy. If this database is compromised, it would not just impact the safety and security of the users but also the national security of the state. Experts and international organisations have explained why such measures will only create new problems instead of resolving the existing ones. What is more concerning is that the savvy criminals will simply shift to another unregulated encrypted platform or create their own platform as the protocol to develop an encrypted platform is publicly available on GitHub. So the security of all will be risked to only catch a low-hanging fruit.
An alternative approach to tackling CSAM
Weakening encryption is not the only way to catch criminals on encrypted platforms. While encrypted messaging platforms cannot read the content of the communication, they do have access to the ‘meta data’ about the communication like the size of communication, time-stamp, frequency of the communication and other details like the status, registration details and the profile picture of the users which they store securely. This data can be utilised to assist the police in catching those sharing CSAM. Utilising meta data is quite useful but its use should be guided by the data minimisation principle outlined in the Puttaswamy judgement, else it will lead to stark violation of the users’ fundamental right to privacy. Accordingly, it is crucial to build the meta data analysis capabilities of the law enforcement agencies so that they can do more with less, instead of breaking encryption and opening a pandora’s box.
It will be equally important for the platforms to take the lead in resolving this challenge with forward-looking and innovative measures. These include training the law enforcement agencies in enhancing their meta data analysis capabilities, utilising leading-edge technology like PhotoDNA to track CSAM on any unencrypted surfaces like profile photos and introducing relevant updates like in-app features for reporting CSAM. We must not forget that if encryption is weakened then savvy criminals will simply shift to another unregulated encrypted platform that would not even share meta data with the police, leaving us more vulnerable than before.
Need for evidence-based policy making
As per the SIRIUS EU Digital Evidence Situation Report (2021), 208 EU law enforcement officers were asked to provide information on the most important types of data that their department needed during investigations; only 20% of those surveyed selected access to content data of chats in their top three priorities. In most cases, metadata like name, IP address, billing details etc. was found to be sufficient. This raises the question of whether it is worth weakening encryption and risking the security of all citizens to catch a few criminals when evidence suggests otherwise? The obvious way forward is to establish a streamlined process for law enforcement agencies to access digital evidence swiftly. Especially in cases where data is requested from companies headquartered outside India. This calls for the negotiation of a swift mutual legal assistance treaty (MLAT) process. Moreover, progressive standards need to be laid down at the international level to ensure a timely response from foreign agencies in cases of evidence sharing and the seamless transfer between countries.
Per a revelation under the RTI Act, only 31 FIRs were registered against 15,000 complaints filed on the Indian Governments’ website to report CSAM. We need evidence-based research to better understand where the problem is. In the USA, the Government legislated the Invest in Child Safety Act which creates mandatory funding of 5 billion dollars, adds 100 new FBI agents and 65 positions at National Center for Missing and Exploited Children (NCMEC) to respond to online sexual abuse. It will be crucial for India to enhance the capabilities of the criminal justice machinery with better training and funding. It will be equally important to promulgate a robust data protection law to protect the privacy of children on digital platforms. A forward-looking data protection framework with an independent data protection authority will be important in meeting the adequacy standards envisaged under the American CLOUD Act and the EU GDPR which will enable swift response to cross-border data sharing requests.
This is a Partnered post.
Read all the Latest Tech News here
Comments
0 comment