Hash constant: Govt’s solution to tracing originator of viral messages
Significant social media intermediaries can comply with the government’s norm for disclosing the originator of viral messages by assigning each message a unique mathematical value that can be traced to their creators, an official familiar with the matter said even as the chorus against the new rules for digital media escalates. The value is called the hash constant or the hash value. The value changes at the slightest alteration of the original message, say with the insertion of even a comma or a full stop, leading to a new originator being created.
Significant social media intermediaries are the ones that have over five million users, according to the new online media rules. The Centre last Thursday notified the rules that will govern online content. The rules include allowing users to dispute action taken against them by social media intermediaries such as Facebook and Twitter and setting up a three-tier self-regulatory framework for so-called over the top platforms such as Amazon Prime, Netflix and Hotstar, and online news media entities.
Also Read | Centre announces rules for OTT, digital media
Most end-to-end encrypted messaging applications, such as WhatsApp, Signal, and Telegram, fall in the significant social media category. They have 90 days to comply with the extra due diligence rules.
“The hash constant is barely 1 kb and will take up not more than 1% of the memory of the messaging application,” said a second official, on the condition of anonymity. The official added the government would already have identified the text of the message, so at no point will the messaging company have to violate the encryption. “All we are saying is store the hash, identify it for a particular message and tell us the originator for the same as the value is constant,” the official said. “We do not even want to know who all the message was forwarded to.”
The official added the ambit under which a judicial or competent authority order can be exercised is very clearly laid out in the rules. They include a threat to sovereignty, integrity of India, the security of the state, friendly relations with foreign states, or public order, or of incitement to an offence relating to them or in relation with rape, sexually explicit material or child sexual abuse material, punishable with imprisonment for a term of not less than five years. The official said the rules also state that no order shall be passed in cases where other less intrusive means are effective in identifying the originator of the information.
A person familiar with Signal’s policies said that the company is completely open-source and collects no data. “The policy being requested by the government will lead to breaking end-to-end encryption,” the person said. “It seems India is moving towards controlling the internet the same way China does, or even worse–Iran.”
Signal has been designed to minimise the data it retains about users. “...the only information we can produce in response to a request like this is the date and time a user registered with Signal and the last date of a user’s connectivity to the Signal service,” it said in response to a grand jury subpoena for Signal user data in the US in 2016. “Notably, things we do not have stored include anything about a user’s contacts (such as the contacts themselves, a hash of the contacts, any other derivative contact information), anything about a user’s groups (such as how many groups a user is in, which groups a user is in, the membership lists of a user’s groups), or any records of who a user has been communicating with.” The company emphasised all message contents are end-to-end encrypted, and they do not have that information either.
WhatsApp, too, is involved in a case in the Madras High Court, where it has been suggested that originator information be attached to every message. “But that is not possible as the... protocol... WhatsApp uses for end-to-end encryption as well provides for cryptographic deniability,” said a person familiar with WhatsApp’s policy.
The person added the meta-data that WhatsApp collects is shared with law enforcement agencies. In its affidavit filed in the high court, WhatsApp said it is unable to comply with providing originator information as it does not store it. It is unable to search for and view messages exchanged on its platform, it added.
Anand Venkatanarayanan, disinformation, cyber weapons and data security researcher, said there is simply no way to comply with the guidelines without breaking end-to-end encryption. “At the heart of E2E [end-to-end encryption] is the Diffie–Hellman algorithm, which allows shared encryption keys to be generated by two parties by exchanging their public keys,” Venkatanarayanan said. “...these keys are not static but change for every new message sent out. This scheme allows anyone to forge an entire transcript with anyone, thus rendering any attempt to add originator information into the E2E protocol dead on arrival. Hence, the only way to comply with the guidelines is to break E2E.”