Explained: Can the govt track WhatsApp messages without breaking encryption?

As WhatsApp’s stalemate with the Indian government continues over enabling traceability of chats under the recently notified Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021, a new possible solution has come to the fore – hashing of messages. 

According to media reports, the government has proposed assigning alphanumeric hashes to WhatsApp messages. This will reportedly allow the Facebook-owned platform to comply with the country’s IT rules and track the first original sender of messages, if and when needed by the court or other enforcement agencies.  

But how would this work without breaking WhatsApp’s end-to-end encryption?  

End-to-end encryption is a feature that WhatsApp offers by default to ensure a private and secure messaging experience for its users. It creates a secure communication channel -- a sent message is encrypted as it passes through the network and servers, and decrypted once it reaches the intended recipient's device. This means that nobody, except the sender or receiver, can read or listen to the messages.  

The decryption part is automatically done using a unique private key, which is generated both by the sender and the receiver, and is known only to their respective devices. It changes with every message. 

Even before the IT rules were notified, WhatsApp had resisted implementing traceability solutions, saying that there was no technology that could track the first sender of a flagged violative message while ensuring end-to-end encryption for the rest of the users (identifying the original sender would mean defining who said what and who messaged whom).  

Security experts have also argued that traceability cannot co-exist with end-to-end encryption. 

Right, so what’s the government’s hashing solution? 

Hashing is a practice where a piece of information -- data of arbitrary size -- is masked with fixed-size bit string value or another piece of information. It is used for a range of purposes, including cryptography, compression, checksum generation, and data indexing. 

How does this help the government? 

Well, the government wants WhatsApp to generate and assign alphanumeric hashes to each original message sent and store them in its own secure catalogue. So, when a law enforcement agency wants to investigate a problematic message, all it has to do is ask WhatsApp for details of the original sender.  

So, hypothetically, every time you send a message that is not a forward, WhatsApp will assign your text a tag. This tag and the text you send will be encrypted. WhatsApp will only store the tag and the tag’s associated identity.   

“Enforcement agencies may ask details on the basis of whatever copy/screenshot and time of any WhatsApp messages. WhatsApp may easily identify the hash of that message and later provide mobile numbers,” security researcher Rajshekhar Rajaharia told TechCircle, explaining how the technique could help identify the original source, without technically breaking encryption.

The method was first pitched by Rakesh Maheshwari, Ministry of Electronics and Information Technology’s (MeitY’s) group coordinator for cyber laws. Senior government officials familiar with the matter told The Economic Times that the government was willing to work on the solution with WhatsApp.  

Implementation hiccups 

Hashing every single message on a platform that has over 400 million users in India is no easy task.  

Assuming that WhatsApp is able to do that, as Forbes India reported, there is no guarantee that the technique will work with 100% accuracy. Why? Because if the message is tweaked even a bit, like changing TechCircle to techcircle, a new hash will be assigned, turning the person making the change as the original sender. 

Debayan Gupta, assistant professor of computer science at Ashoka University, also told the outlet that the hash value would not only be generated on the basis of the message. It will also take into account unique identity keys of the sender and the receiver, which change regularly with every message due to end-to-end encryption. This means that the hash value generated would be different for the same message as it is forwarded ahead.  

This could only be avoided by lowering encryption – if not breaking it -- and enabling tracking, he said. 

“Technologically, it is feasible to achieve this. One just needs to see if it is commercially feasible, as there will be an investment into infrastructure (to create and store the hash strings for every message) from WhatsApp,” Sanjay Katkar, joint managing director and CTO, Quick Heal Technologies, told TechCircle. “WhatsApp will be able to comply with the government laws, and it will be possible to trace the message and its origins.”

And then there are associated privacy and security risks.  

“This infrastructure, once created, will be out there. If it gets breached, the malicious parties will also have access to similar traceability solutions. So, WhatsApp will have to invest in the protection of this whole sensitive information. This can also weaken the privacy achieved using end-to-end encryption. Plus, it will also have to create a policy on who will have access to this information and how,” Katkar said. 

What’s WhatsApp saying? 

So far, WhatsApp has not commented on the matter.  

Queries sent to the company by TechCircle remained unanswered till the time of publishing this story. 

However, in the Big Technology Podcast, Will Cathcart, CEO of WhatsApp, had said that the company had conveyed its concerns to the government and was willing to explore traceability solutions that “don’t touch encryption”. 

"We’ve been pretty opposed to it… We’ve been consistently opposed to it. There’s actually been an ongoing conversation in India and Brazil and some other places,” he had said.