The spread of fake news through social media has been a cause of concern for quite some time. It was highlighted in the past during elections and now continues as Covid-19 threatens humanity.
Whenever an election nears, social media is used for campaigns promoting the electoral prospects of candidates. This is a legitimate advertising and promotion activity and cannot be faulted or curbed. Unfortunately, unscrupulous candidates and their campaign managers have focused more on projecting negative information of their opponents rather than positives of their own partymen. The matter has assumed greater importance today with the growth of fake messages which can cause untold damage to society and therefore, have to be curbed ruthlessly. In the past, attempts to curb them failed because whenever legislative controls were brought in to punish fake campaigns, politics would creep in. This would lead to both the supporters and opponents of a candidate being reluctant to identify and prevent fake messages. The attempt to do so was questioned as an assault on free speech and courts were dragged into the controversy.
The last time that the government tried to bring in some measures to prevent fake messages, it demanded that messaging platforms such as WhatsApp identify their origin. WhatsApp, however, refused to do so and stated that any such exercise would compromise its end-to-end encryption system. As a result, intermediary guidelines under Section 79 of the IT Act could not be amended when it was first presented in December 2018. It was a pre-election period and the government as usual did not press the change.
Experts had said that this contention of WhatsApp was wrong and it was technically feasible for it to identify the originating device of a forwarded message without compromising privacy and the confidentiality of the messages. They said that when a message was forwarded several times, it was feasible to ensure that a meta data was attached to the header so that at each stage of forwarding, the device could identity it and the date and time of forwarding are added to the message before it goes into encryption. This was not different from a block chain mechanism where the message with the header information keeps evolving and each such evolved message continues to be encrypted so that privacy and security are not compromised.
WhatsApp’s justification that it was technically unable to agree to the law enforcement requirement was unconvincing and dishonest. However, it yielded a little ground when it agreed to limit the sharing of a message at one point of time to only five recipients so that if a message had to be sent to 50 people, then the sender had to do so in 10 different attempts. This was an attempt to give the impression that it was assisting the government in combating the menace of fake messages without going all the way. WhatsApp also took action against some software developers who had developed applications for mass forwarding of messages through it so that the dispersion of fake messages could be slowed down. This was more to protect their IP than to prevent fake messaging.
When the Personal Data Protection Bill of 2019 was drafted, the government once again made an attempt to take control of fake messaging by introducing a mandatory requirement that social media intermediaries provide an option to users to get their messages displayed with a “Verified Tag”.
However, with the advent of Covid-19, the problem of fake information became more acute as people spread wrong information about its reach, the damage it can cause, likely remedies, etc. This time there was no political backing for the fake messages and hence, there was an apolitical response from WhatsApp with a new voluntary, technical measure meant to slow down their spread. The new system will identify the number of times a message is forwarded and after the first five forwards, this will be restricted to just one at a time. The message will also display an extra arrow to indicate that forwarding is in the restrictive stage. This, however, does not eliminate the message if it is fake. It will only delay the process of forwarding.
By initiating this restriction, WhatsApp has said that it is able to monitor whether a message is forwarded five times or more. This proves that its earlier contention to the government that it cannot identify the origin of a message is false.
Technically, if WhatsApp can count whether a message has been forwarded by one or more persons, then it will be able to identify the message and also from where the forward has come. All WhatsApp messages pass through its server before they land on the destination phone as it has to be re-sent if that phone is not connected at the time the message was first sent. Hence, it is considered infeasible that the WhatsApp server cannot see the sender’s device by whatever ID it may recognise it.
Legally, the government had the power to demand the assistance of WhatsApp not only for identifying the origin of a message but perhaps even for decryption. Section 69 of the Information Technology Act, 2000 gave the powers of interception, monitoring or decryption to a designated official of the government under a specific procedure. Such a procedure is already in place and though a notification to amend the rules issued in December 2018 was stalled, the availability of the power was never in doubt. Further, Section 69 also provided that if the service provider or any other person failed to assist the designated authority, the company and its executives could be imprisoned for up to seven years.
In several rounds of discussion between the Ministry of Electronics and Information Technology, WhatsApp and other social media representatives since December 2018, it must have dawned on these agencies that they stand on weak legal ground in resisting the moves of the government to curb fake news. But now, with the need to prevent fake news to protect the community from a pandemic and with no political support, whatever little courage these companies had in resisting the government earlier must have crumbled. Hence, they have come out with a voluntary offer of restricting the forwarding to a single destination.
With WhatsApp dropping its earlier resistance, it is up to the government to push it once again to institute a mechanism where a header is inserted for every message to identify the origin and each forward. WhatsApp can also initiate measures to monitor such meta data so that there is proactive identification of any forwards to identified groups and they are filtered. Filtering of messages on the basis of intended forwarding would help law enforcement authorities to identify suspect groups who are working against the interest of the public and they can be blocked from receiving messages.
There will, no doubt, be a charge that this would amount to censorship. But if the procedure laid out is stringent and its use is restricted to exceptional cases with hard evidence to back it, the filtering of fake and malicious messages and subsequent legal action can be undertaken by the police better than is possible now.
As regards end-to-end encryption which WhatsApp claims to be impregnable and beyond its capability to decrypt, the existence of malware such as Pegasus proves that breaking into a mobile device and reading WhatsApp messages is feasible. Hence, end-to-end encryption is not a foolproof system.
End-to-end encryption of a messaging service like WhatsApp is different from that of a voice message like Blackberry or Apple. Retrieving a voice message without the permission of the owner of a device by the law enforcement agency or a hacker requires not only access to the device but also enabling of the storing of the voice files.
In the case of messaging applications, storage and subsequent retrieval is an inherent character of the service and therefore, technically, reduces one process compared to recording of a voice conversation and listening to the recorded files.
WhatsApp restricting the number of forwards, therefore, strengthens the hands of the government. The company can no longer use technical excuses when it is ordered by law enforcement to reveal the identity of the devices originating and forwarding fake messages. This will now also possibly extend to decryption of end-to-end encryption.
—The writer is a cyber law and techno-legal information security consultant based in Bengaluru