India's demand to identify people on chat apps will 'break end-to-end encryption', say digital rights warriors After a three-year review process, India has announced strict regulations for instant chat services, social network operators, and video-streaming companies. Titled "Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021," the red-tape [PDF] creates four big obligations for antisocial media …
This is one time I don't agree with the "internet sky is falling" crowd. Identifying people does NOT mean breaking the encryption. They aren't asking to view the messages being sent, only to identify who is sending them. That can be accomplished with verifiable header signatures and does NOT require breaking the traffic encryption that follows.
I agree.
Where the real hullabaloo comes from is that it makes providers responsible for managing identity (read: it costs them money, which is where one half of the screeching originates from). If that goes together with strong measures to only breach that anonymity in the case of law enforcement it is an acceptable route to making people responsible for their actions (hello origin number two of the yelling).
Of course, the real problem is probably that part two: there are VERY few government officials (seen on a global basis) who can withstand the ultra-strong pull of all that juicy data about their citizens, especially if said politicians have something to hide: IMHO there is a strong correlation between the level of corruption in a government and its dislike of rights for its citizens.
That can be accomplished with verifiable header signatures and does NOT require breaking the traffic encryption that follows.
How does that meet the Thought Police's requirement to “enable identification of the first originator of the information”?
The payload could be extracted by a recipient and sent on with a brand new header, thus erasing any information about the first originator of the message/incriminating image of politician/whatever.
How do you know it contains child porn or whatever? While it is true that identification of the originator can be made separate from the encryption of the content, that won't be sufficient for Indian authorities to police things in the way they say they want to.
The signature verifies where it came from, encryption hides the content. I can encrypt so you can see nothing of what I send unless you gold the correct key. This has nothing to do with seeing who sent it.
Still, if I do encrypt it then it means revealing the contents to the plod when they accuse me of something, defeating hiding it.
The fact is that any real democracy putting the people in front of the politicians get rich power grab does not need legislation like this. And of course both the British and American governments have gone way too far down the spyy on the plebs because now the 0.01 percent own 80 percent of everything the plebs are getting restless
Can’t you read ? The very first line says ‘after a 3 year review process’.
Since you know nothing about the farm bills either:
https://www.orfonline.org/research/intellectual-biography-india-new-farm-laws/
They’re the creation of a 20 year long consultation and experimental process led by none other than the legendary MS Swaminathan .
If you don’t know who that is, seriously just stop talking about Indian agriculture.
tl;dr: a cursory familiarity with the news is a dangerous thing.
Yes agree that digital signatures and e2e encryption aren't mutually exclusive. But signed messages are easy to un-sign before forwarding, screenshot or copy/paste etc., if the forwarder so desires. To mitigate against that you can go and close anything but the "analog loophole", by having a closed code base and strict security, like Lotus Notes used to do (anyone remember that?).
If you _really_ want to crack down on how an "undesirable" message (be it CP, or incitement of racial violence, or farmers' protest messages) meanders through FB or Whatsapp or whatever, you need to break encryption and read/store/trace messages on the central server.
You don't even need this. The payload is separate from the signature in a mime packet thus you can just extract the message and resign it, maybe outside on India, and send it back into India. Encryption would make that impossible to stop. For example I live in Bombay, sign and encrypt the message to my aunt Matilda in New Zealand, they open it (they have the decryption key) they then send the data back in, unsigned from outside and the whole Indian idea is circumvented. If it was supposed to be anti terrorist (which today just means anyone unhappy with the enrichment of the rich at the downtreading of the rest of us) they forget how international this feeling is
Just do a hash of the message text and it works if you cut and paste it too. It will break if you modify it but at least they can track it back to you, identify the source of your message and then track it on.
For this system to work they will need access to 1 message in the chain - usually someone who infiltered the group or someone who was offended by the message and reported it. Once you have that you can track the chain to its source and get a warrant for that person and then repeat the process after examining their phone to track their source.
It seems like a workable solution that does not break encryption - not that I support it.
Quote: “....enable identification of the first originator of the information..."
Old fart here.
Doesn't the careful use of TOR (or even a VPN) make this demand impossible?
Doesn't the use of private encryption schemes also make the use of "end-to-end" encryption by service providers (if used) completely moot?
Of course, I may be missing something here! Do tell!
It's alreacy well known that Narendra Modi and his party support discriminating against minority groups in India. Therefore, the obvious response should be to revoke India's independence, and try again after the country's people have reached a sufficient level of political maturity to live in harmony together, or after the country has been adequately partitioned - without bloodshed - so that each of the major groups is securely in its own nation where it has no fear of being pushed around by a majority from a different group.
And this is also the way to deal with Myanmar; any attacks on minorities, any departure from democracy should mean immediate regime change.
Of course, the potential problem of interference from Russia and China will first have to be dealt with.
I would agree but let's look at home and even at the beaving Americans. Both USA and UK profess democracy, both are hugely corrupt and run by a clique to enrich them and their close friends. To be honest neither country, not the EU have any sensible model of how to run things better.
I see all these stories about "fixing" the Internet's problems by identifying posters but nobody seems to think that we'd be better off learning not to be stupid.
It's the Internet, you think we can actually identify anyone this way and that the "identified" posts would not be faked too?
The illusion of privacy you get on the Internet disguses the fact that for all but a very small number of people if someone in authority wanted to know who you are then they'd easily find out. It is possible to hide but you have to recognize that to do this you have to live like a spy, taking stringent precautions to avoid detection at all times, something that for the vast majority of us is both unnecessary and impractical.
Requiring people to idenitify themselves would go a long way to restoring civility on the 'net.
India seems to be in a bit of a political mess at the moment so it will be interesting to see just how much longer Modi and the BJP can hang on for. I think he's only getting away with things because he's prepared to annoy the neighbors as America's proxy in the area but this isn't a winning strategy for the long term.
@martinusher
Quote: "...Requiring people to idenitify themselves..."
*
I'm always curious about this suggestion....how might it be implemented? In the physical world, there's usually some sort of PHYSICAL validation process. With a passport, for example:
1. Fill in an application form
2. Provide a photograph
3. Get someone who is ALREADY validated to countersign the form, and countersign the photograph
4. Get the passport authority to review the application
5. Maybe receive a new passport
*
So.....when an immigration officer wants you to "identify yourself", you are asked to remove your hat and sunglasses, present your passport, and the officer does two things:
6. Checks to see if the person matches the photograph
7. Checks to see if the passport is listed anywhere as false or stolen or......
*
And my question about the internet boils down to asking about these two sets of process:
Q1: What would be the internet equivalent of a "passport"? What would the process be to get this "internet passport"?
Q2: What would be the internet equivalent of a "sign on check" (equivalent to items #6 and #7)?
*
Then there's this assertion: Quote: "Strictly speaking nobody's anonymous"
This appears to be somewhat less than "strict". Yes....an IP address is always available. But it is NOT always certain that the IP address maps to the ACTUAL USER at the IP address. For example, the IP address may map to a coffee shop or a betting shop, or the user may be using a hijacked WiFi access point, or the user may be using TOR or a VPN, or the user may be one of many behind a NAT router. In all these examples, the account holder at the IP address may not be the person using the IP address. So the actual person using an IP address may in fact be VERY DIFFICULT to identify.
*
A propos -- I've always wondered when folk talk about checking to see that an internet user is an adult (you know "parental controls", etc).
*
Suggestions about stronger "identity" checking on the internet are, of course, always interesting......but not always welcome!
Signed (as usual): AC
Q1: What would be the internet equivalent of a "passport"? What would the process be to get this "internet passport"?
RFID chip implanted in the user. A government approved device with enterprise level security. And serious penalties for misuse.
Q2: What would be the internet equivalent of a "sign on check" (equivalent to items #6 and #7)?
User scans said chip which is then authenticated by the government database.
........and, of course, there are no snags with this at all:
- Every country in the world would have a different "government database"
- Every "government database" would be impervious to hacking
- Various "bad actors" would sell you an RFID chip coded as some other person
- The technology would, of course, last forever.....no need for upgrades across billions of people
*
....and so on. You had your tongue in your cheek.......but some authoritarian out there might actually take you seriously!!!
> Requiring people to idenitify themselves would go a long way to restoring civility on the 'net.
That is the old theory, and it could even be true some time ago when people still could be ashamed or afraid of consequences or something. Not any more. Now you double down – the more outrageous things you say, the more important it is to do so. And it works.
I have watched the real-name policy applied by some news sites here (or “news” sites – though not consipracy theory pedlars, just news somewhere on the tabloid spectrum). The result is that all the insane crap in discussions continues happily, now just labelled with real names and towns.
One would be to run the country democratically in a way that ensure happy and satisfied people ( not grinding poverty for most but lavish lifestyles and space programs for a tiny few)
Another answer is for all internet websites and providers to block India from access, remove all development from India and generally say it's not possible or reasonable so no.
"Another requires web platforms to offer users a chance to verify their identities and have their accounts marked as authentic."
I don't think it should be required but the option to log in is useful for political/social comment. As is the right to Anon Cow posting. (Holy Anon Holy Cow posting in India?)
I used to post on an activist website and malicious actors would post drivel under my name - that was my prerogative! Then they'd use that to justify police SWATting. I was able to swat away the police by pointing out my back-board post outlining the problem and asking for the option of an authenticated log-in, but given the police had already infiltrated the 'collective' then they already knew that.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
