Saturday, April 23, 2016

WhatsApp encryptions: Does it really protect women and children from cyber crimes ?

CYBER CRIME AGAINST WOMEN BY DEBARATI HALDER
Couple of days ago hundreds of WhatsApp user may have come across a small message with each of the messages that they may have received from their Whatsapp friends : the message indicated that from now onwards except the sender and the receiver, no one (not even WhatsApp) would be able to decrypt any message that is encrypted from end to end. A simple meaning of this is, when I send a message to one of my friends in WhatsApp, the algorithm key that I am using to encrypt my message can not be ‘opened’/translated/seen/understood /accessed by anyone other than that particular friend to whom the message is intended for and sent to. The sender may understand whether her message has been delivered to the intended recipient by seeing the double ‘tick’ sign and once they are blue in colour, the sender may assume that the message has been actually seen and read by the recipient. WhatsApp in its own version says “WhatsApp's end-to-end encryption is available when you and the people you message use the latest versions of our app. Many messaging apps only encrypt messages between you and them, but WhatsApp's end-to-end encryption ensures only you and the person you're communicating with can read what is sent, and nobody in between, not even WhatsApp. This is because your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them. For added protection, every message you send has its own unique lock and key. All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages.” (https://www.whatsapp.com/security/). And how would we know whether the message is encrypted or not? Whatsapp says :
“To verify that a chat is end-to-end encrypted
Open the chat.
Tap on the name of the contact or group to open the contact info/group info screen.
Tap Encryption to view the QR code and 60-digit number.
If you and your contact are physically next to each other, one of you can scan the other's QR code or visually compare the 60-digit number. If you scan the QR code, and the code is indeed the same, a green checkmark will appear. Since they match, you can be sure no one is intercepting your messages or calls.If the codes do not match, it's likely you're scanning the code of a different contact, or a different phone number. If your contact has recently reinstalled WhatsApp, or switched devices, we recommend you refresh the code by sending them a new message and then scanning the code.” (https://www.whatsapp.com/faq/en/general/28030015)
So what does it mean? A secured conversation? Respite from hackers? No disturbance from unknown persons? By now, internet has been flooded with write-ups, analysis and discussions on whether the encryption policy of WhatsApp is good or bad for its subscribers. Some says it was indeed needed because it would save subscribers from unwanted government surveillances, hackers and unethical profit makers who see internet as a place for easily available images which may be ‘sold’ to the porn market. Some opine that this encryption policy would make it impossible for the police to help the victims of cyber crimes including women and children.  Before beginning any discussion on this, we must understand about encryption and decryption policies that is the centre of issues here. Encryption ( which means converting a data into codes which can not be simply intercepted ) is a necessary part of every internet/digital communication system  and  encryption policies may be framed based on the laws of the hosting nation (of the web company) and  the company policies which is enabling such services. India does not have any specific Rules regarding encryption policies under the Information Technology Act, 2000(amended in 2008), even though S.84A of the Act authorises the government to implement Rules regarding this. Encryption is not complete without decryption which is a process of opening such encrypted data. Every data which is encrypted, must necessarily have the right ‘keys’ to be decrypted, otherwise the intention behind encrypting a data would have no meaning. Decryption however is defined by Information Technology (Procedure and safeguards for interception, monitoring and decryption of information) Rules, 2009  created under S.69 of the Information Technology Act, 2000(amended in 2008). It needs to be noted that decryption policies are also generally guided by the laws of the hosting country. But at the same time, each web company must necessarily abide by the laws of the place of ‘business’ as well. This means that even if a web company has its own policies regarding encryption to provide extra security to its subscribers, it must abide by the laws of the land of the subscribers to enable the government for legitimate surveillance and also  for tackling online crimes. We now know that WhatsApp is now the most chosen medium to generate messages or spread messages /text/images (including those which are ‘illegal’). Often in cases of civil/political unrest, one may note that the police administration may suggest for complete blockage of messaging services like WhatsApp. This again falls under S.69A of the information Technology Act,2000(amended in 2008) which authorises the government to issue direction for blocking for public access of any information through any computer resource.
But when it comes to crimes against women and children, I see no positive development even after creating such extra layer of security.  There are instances of approaching women in their private whatsapp numbers for harassing them, accessing private photographs (already available in other social media and circulating them either ‘as it is’ or the morphed version of the same, threatening and blackmailing women with such images etc. What is more disturbing is, even after the encryption policies are rolled out by WhatsApp, no attempt has been taken to initiate a proper reporting mechanism. In the recently held UNICEF India meeting on expert consultation of online child safety, I had expressed my concern in this regard as well. At the most what an offended subscriber can do, is to block the harassing ‘number’ and leave a group if he/she is added to it without his/her consent. The harassing WhatsApp profile may still stay at large with the private images and information of the victim to upload them in other social media including YouTube or adult sites. Similarly, if not blocked, the harassing profile may continue to send bullying, derogatory, demeaning, insulting messages to the victim ‘uninterruptedly’. So what is the use of encryption policy then? It actually provides a half baked solution, i.e, protection against hacking. It may probably encourage more sexting because such images and messages may stay comfortably and permanently with the sender and the recipient only. But again, if there is a case of jilted love affair, no one, not even WhatsApp encryption policies may prevent possible creation of revenge porn materials on the same platform and also on the web. But here one must not be misguided by the fact that in such cases, the police would not be able to help nab the criminal due to encryption policies of WhatsApp. In such situations again, the law takes the same course of action as is the case for any other social media crimes against women, with off course limitations when the harasser is situated outside the jurisdiction of India, even though Information technology Act has extra jurisdictional scopes as well. 
          It is however unfortunate to note that unlike several EU countries and Canada, our courts and government are unable to take strong actions against the web companies who are not complying with the local laws in matters of assisting the governments and criminal justice machineries to nab the criminal or in the investigation. There are lots of techno-legal  issues which needs to be settled to achieve this in India, which includes proper training to the police, the lawyers and the judges. We have highest number of subscribers for WhatsApp, but awareness regarding safety issues is almost nil. Unless subscribers are made aware of the positive and negative sides of the technology that they are using, no policy, including this encryption policy may help reducing crimes online.
Let us spread awareness rather than defamatory ‘viral news’.  Lets join hands to stop cyber crimes against women.
Please Note: Do not violate copyright of this blog. If you would like to use informations provided in this blog for your own assignment/writeup/project/blog/article, please cite it as “Halder D. (2016),WhatsApp encryptions:  does it really protect  women and children from cyber crimes?”24th April, 2016, published in http://debaraticyberspace.blogspot.com/