Commentary

Find our newspaper columns, blogs, and other commentary pieces in this section. Our research focuses on Advanced Biology, High-Tech Geopolitics, Strategic Studies, Indo-Pacific Studies & Economic Policy

Indo-Pacific Studies, High-Tech Geopolitics Pranay Kotasthane Indo-Pacific Studies, High-Tech Geopolitics Pranay Kotasthane

China’s Semiconductor Gold Rush: A Reality Check

By Pranay Kotasthane and Rohan Seth

The semiconductor industry has become a major front in the US-China tech war. Given that this is a weak link in China’s otherwise impressive technology stack, the US has imposed export controls restricting Chinese semiconductor companies from accessing key equipment, software, and intellectual property.This article was first published in the South China Morning Post. Views are personal. Read more here.

Read More

Shutting down internet to curb opposing views is problematic

States around the world are divided along the lines of how they should view the internet. On one end of the spectrum, there are calls to treat the internet somewhat as a fundamental right. For instance, the UN subscribes to this view and is publicly advocating for internet freedom and protection of rights online. On the other end of the spectrum, there is India, where after over a hundred shutdowns in 2019 alone, you could arguably define access to the internet as a luxury.

In my personal opinion, shutting down the internet for a certain area is an objectively horrible thing to do. It’s no wonder that states tend to not take this lightly. Even in Hong Kong, after months of protests, the government felt it okay to issue a ban on face masks in public gatherings. However, when it came to the internet, the government looked at censoring the internet, not shutting it down. The difference is that under censorship, access to certain websites or apps is restricted, but there is reasonable scope for the protesters to contact their families and loved ones. The chronology will tell you that even internet censorship as a measure was considered after weeks of protests.

In the case of India, that is among one of the first things the government does. So when India revoked Kashmir’s autonomy on August 5, 2019, the government shut down the internet the same day. It has been almost 150 days at the time of writing with no news of access to the internet being restored in Kashmir valley. Naturally, people are now getting on trains to go to nearby towns with internet access to renew official documents, fill out admission forms, check emails, or register for exams.

There are multiple good arguments as to why the internet should not be shut down for regions. They cost countries a lot of money once implemented.

According to a report by Indian Council for Research on International Economic Relations, During 2012-17,

16,315 hours of Internet shutdown cost India’s economy around $3 billion, the 12,600 hours of mobile Internet shutdown about $2.37 billion, and the 3,700 hours of mobile and fixed-line Internet shutdowns nearly $678.4 million.

Telecom operators have also suffered because of the Article

370 and the CAA bi-products of the internet shutdown with The Cellular Operators Association of India (COAI) estimating the cost of internet shutdowns being close to `24.5 million for every hour of internet shutdown. Then consider the impact shutting down the internet has on the fundamental right to the freedom of speech and expression and the impact it has on the democratic fabric of our country.

In the case of India, internet shutdowns are also a bad idea because they reinforce the duration of shutdowns and also make themselves more frequent.

Let me explain the duration argument first. Shutdowns tend to happen in regions that are already unstable or maybe about to become so. For better or for worse, the violence and brutality resulting from the instability are captured and shared through smartphones. While those videos/photos may not be as effective as independent news stories, when put on social media they combine to build a narrative. And soon enough the whole is greater than the sum of its parts, creating awareness among people who had little or none before. The problem is that the longer the instability and the internet shutdown lasts, the more ‘content’ there is to build a narrative. In the case of Assam and even more so in Kashmir, this is exactly what has happened. At this point, if the government rescinds the shutdown in either of those places, it faces the inevitable floodgates opening on social media. And the longer this lasts, the more content is going to be floated around.

Secondly, internet shutdowns make internet shutdowns more frequent. After revoking access to the internet a certain number of times, the current administration seems to have developed a model/doctrine for curbing dissent.

Step 1 in that model is shutting down the internet. This has led to shutdowns being normalized as a measure within the government. So it’s no longer a calculated response but a knee-jerk reaction that seems to kick the freedom of expression in the teeth every time it is activated.

The broader point here is that taking away the internet is an act of running away from backlash and discourse.

To carry it out as an immediate response to protests is in principle, turning away from the democratic value of free speech. It’s hard to believe that it may be time for the world’s largest democracy to learn from Hong Kong (a state which uses tear gas against its people and then tries to ban face masks) when it comes to dealing with protesters.

(The writer is a technology policy analyst at the Takshashila Institution.)

This article was first published in Deccan Chronicle.

Read More

Amazon, Fine Margins, and Ambient Computing

There are some keynotes in the tech world that serve as highlights of the year. There is Apple’s iPhone event and WWDC where Apple traditionally deals with software developments. Then there is Google’s IO, and also the Mobile World Congress. Virtually all of these are guaranteed to make the news. Earlier last year, it was an Amazon event that captured the news (outshining Facebook’s Oculus event that was held on the same day in the process).During the event, Amazon launched 14 new products. By any standards, that is a lot of announcements, products, and things to cover in a single event. And so it can be a bit much to keep up with and make sense of what’s happening at Amazon. The short version of the developments is that Amazon is trying to put Alexa everywhere it possibly can. It’s competing with Google Assistant and Siri, as well as your daily phone usage. It wants you to check your phone less and talk to Alexa more.It would explain why Amazon has launched ‘echo buds’. They have Bose’s ‘Noise Reduction Technology’ and are significantly cheaper than Apple’s Air Pods. There is also an Amazon microwave (also cheaper than its competition), as well as Echo Frames, and an “Alexa ring”, called Loop. The Echo speaker line has also been diversified to suit different pockets (and has also included a deepfake of Samuel Jackson’s voice, which is amusing and incentive enough to prefer Alexa over other voice assistants unless competition upstages them). Amazon launched a plug-in device called Echo Flex (which seems to be ideally suited for hallways, in case you want access to Alexa while going from one room to another and are not wearing your glasses, earphones, or ring). Aside from a huge number of available form factors in which they can put Alexa in, the other thing about these products is how they are priced. You could make the argument that the margins are so little that the pricing is predatory (a testament to what can be accomplished when one sacrifices profit for market share). Combine that with how they will be featured on Amazon’s website and you can foresee decent adoption rates, not just in the US, but also globally should those products be available.In the lead-up to the event, Amazon also launched a Voice Interoperability Initiative. The idea is that you can access multiple voice assistants from a device. Notably, Google Assistant and Siri are not part of the alliance, but Cortana is. You can check out a full list here. The alliance is essentially a combination of the best of the rest. It aims to compensate for the deep system integration that Alexa lacks but Google Assistant and Siri have on Android and iOS devices.Besides making Alexa more competitive, the broader aim for the event is to make Amazon a leader in ambient computing. Amazon knows that it is going to be challenging to have people switch from their phones to Alexa and so likely wants marginal wins (a practice perfected in-house). That’s why so many of their announced products are concepts, or ‘day 1’ products available on an invite-only basis. The goal is to launch a bunch of things and see what sticks and feels the most natural to fit Alexa in so that they can capitalize on it later.It is Amazon’s job to make a pitch for an Alexa-driven world and try to drive us there through its products and services, but not enough has been said about what it might look like once we are in it. An educated guess is that user convenience will eventually win in such a reality. As will AI, with more data points coming in for training. This is likely to come at a cost of privacy depending on Amazon’s compliance with data protection laws (should they become a global norm).To be fair to Amazon, the event had some initial focus on privacy which then shifted to products. However, the context matters. For better or worse, these new form factors are a step ahead in collecting user data. Also, the voice interoperability project might also mean that devices will have multiple trigger words and thus, more accidental data collection. To keep up with that, Amazon will need to improve its practices on who listens to recordings and how.Amazon’s event has given us all things Alexa at very competitive rates, which sounds great. If you are going to take away one thing from the event, let it be that Amazon wants to naturalise you talking to Alexa. Its current strategy is to surround you with the voice assistant wrapped in different products. If it can make you switch to talking to Alexa instead of checking your phone, or using Google Assistant or Siri even 4 times a day, that is a win they can build on.

Read More

Data Protection Bill, an unfinished piece of work

Bill demands age verification and consent from guardians of children for data processing

Shashi Tharoor has a strong case when he says that the personal data protection Bill should have come to the information technology standing committee. It does set a precedent when issues as important as the bill do not go through proper channels of debate. Because of the nature of the Bill, there is a tremendous amount of scope for discourse and disagreement.

Let us begin with the most debated aspect of this legislation, the Data Protection Authority (DPA). Because the mandate of the Bill is so large, it can only go on to set guidelines and give direction on where the data protection space should go. The heavy lifting of enforcement, monitoring, and evaluation has to fall on the shoulders of a different (and ideally independent) body. In this case, it is the DPA that has the duty to protect the interests of data principals, prevent any misuse of personal data, ensure compliance with the act, and promote awareness about data protection. The body needs to enforce the Bill down to auditing and compliance, maintaining a database on the website that has a list of significant data fiduciaries along with a ranking that reflects the level of compliance these fiduciaries are achieving, and act as a form of check and balance to the government.

However, the DPA may end up not being the force of objective balance that it has often been made out in the Bill. Here is why. The body will have a total of 7 members (a chairperson with 6 others). All of them will be appointed by the government, based on the recommendations of the cabinet secretary, secretary to the Government of India in the ministry (or department) dealing with legal affairs, and the secretary to the ministry (or department) of electronics and information technology. All of this falls under the mandate of the executive and has no involvement required from the judiciary or for that matter the legislative. Also, the current version of the Bill does not specify who (or which department) these recommendations will go to in the central government. Is it MeitY? NITI Aayog? PMO? There is no clarity.

One cannot help but notice a pattern here. The Bill itself is going to go to a committee dominated by members of the ruling party and the enforcer is going to be wholly constituted by the executive.

Where is the feedback loop? Or the chance for scrutiny? You could at this point begin questioning how independent the DPA is going to be in its values and actions.

That is not to say that the Bill is all bad. Specifically, it does a good job of laying out the rights of the personal and sensitive personal data of children. And that is not often talked about a lot. The Bill here has a unique approach where it classifies companies that deal with children’s data as guardian data fiduciaries. That is crucial because children may be less aware of the risks, consequences and safeguards concerns and their rights in relation to the processing of personal data. Here the Bill clearly requires these guardian data fiduciaries to demand age verification and consent from guardians for data processing. Also, fiduciaries are not allowed to profile, track, monitor or target ads at individuals under 18.

This is a loss for Facebook. The minimum age to be on the social media platform is 13. And Facebook’s business model is to profile, track, monitor, and micro-target its users. One of two things will happen here. Facebook will either have to change the bar for entry onto the platform to 18 as per the Bill. Or, it will need to ensure that its algorithms and products do not apply to users who are below 13. Either way, expect pushback from Facebook on this, which may or may not result in the section being modified.

The other thing the Bill should add on children’s rights is the requirement to simplify privacy and permissions for children to be consistent with global standards. For instance, the GDPR mandates asking for consent form children in clear and plain language. There is value in making consent consumable for children and for adults. So provisions in this regard should apply not just for children but also for adults, mandating a design template on how and when consent should be asked for.

In sum, the Bill is an unfinished product in so many ways. It has good parts, such as the section on the personal and personal sensitive data of children. However, it needs debate and scrutiny from multiple stakeholders to guide the DPA to be the best version of itself and it is in the government’s hands to make that happen.

Read More

2020 cybersecurity policy has to enable global collaboration

The rapid expansion of digital penetration in India brings with it the need to strengthen cybersecurity. The critical nature of the myriad cyber threats that India faces was underscored by the recent breach at the Kudankulam nuclear power plant and the Indian Space Research Organisation. These were just two of the 1,852 cyber-attacks that are estimated to have hit entities in India every minute in 2019. Symantec’s 2019 Internet Security Threat Report ranks India second on the list of countries affected by targeted attack groups between 2016 and 2018.It’s clear that India faces expanded and more potent cyber threats. Given this fact, the new national cybersecurity policy, set to be announced early next year, should improve on the shortcomings of the previous policy of 2013. The most significant of these were the absence of clear, measurable targets, failure to set standards for the private sector and limited focus on international collaboration.

 In many ways, the broad thrust of the 2013 policy was on point. It argued for the need to build a “secure and resilient cyberspace,” given the significance of the IT sector to foster growth while leading to social transformation and inclusion. This called for creating a “secure computing environment and adequate trust and confidence in electronic transactions, software, services, devices and networks”. Since then, certain steps have been taken to operationalise the policy. These include the establishment of the National Cyber Security Coordination Centre and Cyber Swachhta Kendra along with announcements to set up sectoral and state CERTs and expand the number of standardisation, testing and quality certification testing facilities. However, much more needs to be done and that too at a faster pace.While it is no one’s argument that state capacity can be augmented overnight, setting clear targets can help drive action towards an identified goal. Moreover, the lack of these in the 2013 policy means that it is extremely difficult today to assess whether the policy had the desired impact. Five-year plans are well-written documents, whether or not you agree with the goals they outline for the nation or even if the five-year approach is right at all.The most quantifiable item on the agenda for the 2013 cybersecurity policy was the objective to create a workforce of 500,000 professionals skilled in cybersecurity in the next five years through capacity building, skill development, and training. The objective set a number that one can look at five years from then and see if they exceeded or fell short of expectations. And the data in this regard is sobering. For instance, in 2018, IBM estimated that India was home to nearly 100,000 trained cybersecurity professionals. What’s further alarming is that it estimated the total number needed at nearly three million. The 2020 policy must, therefore, not just identify clear targets but also identify the ways and means through which that target should be met.Almost everything else in the 2013 document was fairly ambiguous. It contained repeated references to adopt and adhere to global standards for cybersecurity. However, there was no clarity on what specific standards should be followed and how long industry should take to adopt them.This brings us to the second shortcoming. The policy at the time was hoping to balance a trade-off between encouraging innovation while ensuring that basic standards for security and hygiene were met. When it comes to the private sector, it repeatedly used words such as “encourage”, “enable” and “promote”, being careful to not make anything mandatory. Even when it did mandate something, say global best practices for cybersecurity to critical infrastructure, it is hard to say how it planned to declare the mandate a success or a failure. This is again a pitfall that the 2020 policy must avoid. The policy must establish or identify standards that the industry should adopt within a fixed timeframe. Also, there is a need for the government to engage with the private sector, particularly when it comes to sharing skills and expertise.Finally, when it comes to international collaboration, the 2013 policy argued for developing bilateral and multilateral relationships in the area of cybersecurity with other countries and to enhance national and global cooperation among security agencies, CERTs, defence agencies and forces, law enforcement agencies and the judicial systems. Since then, India has entered into a bunch of cybersecurity-related MoUs. However, there is an urgent need to set into place domestic frameworks, say for instance with regard to data protection, which will enable broader global collaboration and participation in rule setting. Unfortunately, this has not been happening. For instance, India was not a signatory to the Budapest convention which would have allowed for easier access to data for law enforcement. It also did not enter into an executive agreement under the US-initiated CLOUD Act. On a related note, the government also did not sign the Osaka Track, a plurilateral data sharing agreement proposed at the 2019 G20 Summit. These are important dialogues that India must be part of if it needs to build a resilient and thriving cyber ecosystem.

Read More

Personal Data Protection Bill has its flaws

Data Protection Authority can potentially deal with brokers and the negative externality

Indian tech policy is shifting from formative to decisive. Arguably the biggest increment in this shift comes this week as the Personal Data Protection Bill will (hopefully) be debated and passed by the parliament. The bill itself has gone through public (and private) consultation. But it is still anyone's guess what the final version will look like.

Based on the publically available draft, there is a lot right with the bill. The definitions of different kinds of data are clear, and there is a lot of focus on consent. However, there is not enough focus on regulating data brokers. And that can be a problem. Data brokers are intermediaries who aggregate information from a range of sources. They clean, process, and/or sell data they have. They generally source this data if it is publicly available on the internet or from companies who first hand.

Because the bill does not explicitly discuss brokers, problems lie ahead. Broadly, you could argue that brokers come under either the fiduciary or in India sell lists of people who have been convicted of rape and the list ends up becoming public information.

Similarly, think about cases where databases of shops selling beef, alcoholics or erectile dysfunction are released into the wild. The latter two are instances the US is somewhat familiar with. A data broker can ask its clients to not re-sell the data, or expect certain standards of security to be maintained. But there is no way to logistically ensure that the client is going to adhere to this in a responsible manner. The draft bill talks about how to deal with breaches and who should be notified. But breaches are, by definition, unauthorised. A data broker’s whole business model is selling or processing data. All of which is legal. So, how should the

Indian government be looking at keep data brokers accountable? Some would argue that the answer may lie in data localisation. But localisation will only ensure that data is stored/processed domestically. Even if the broker is located domestically, it doesnt matter unless there is provision in law for mandating accountability.

The issue around brokers is also unlikely to be handled in the final version of the bill. Even though it is important and urgent, it does not take precedence over more fundamental issues. What is going to happen here is that data brokers and their activities are going to be subject to the mandate of the Data Protection Authority (DPA) due to be formed after the bill is passed.

Once the DPA is formed, there are a few ways in which it can potentially deal with brokers and the negative externality their role brings.

One option could be to hold data brokers accountable once a breach has occurred and a broker has been identified as culpable. The problem here is that data moves fast. By the time there is a punitive measure in response to a breach, the damage may have already been done. In addition, such a measure would also encourage brokers to hide traces of the breaches that lead to them.

Another alternative could be to ask every data broker to register themselves.

But that would mean more data brokers being incentivised to move out of the country while maintaining operations in India.

Rohan is a technology policy analyst at The Takshashila Institution.

This article was first published in Deccan Chronicle.

Read More

Govt needs to be wary of facial recognition misuse

India is creating a national facial recognition system. If you live in India, you should be concerned about what this could lead to. It is easy to draw parallels with 1984 and say that we are moving towards Big Brother at pace, and perhaps we are. But a statement like that, for better or worse, would accentuate the dystopia and may not be fair to the rationale behind the move. Instead, let us sidestep conversations about the resistance, doublethink, and thoughtcrime, and look at why the government wants to do this and the possible risks of a national facial recognition system.

WHY DOES THE GOVERNMENT WANT THIS?

Let us first look at it from the government’s side of the aisle. Having a national facial recognition database can have a lot of pros. Instead of looking at this like big brother, the bestcase scenario is that the Indian government is looking at better security, safety, and crime prevention. It would aid law enforcement. In fact, the request for proposal by the National Crime Records Bureau (NCRB) says as much, ‘It (the national facial recognition system) is an effort in the direction of modernizing the police force, information gathering, criminal identification, verification and its dissemination among various police organizations and units across the country’.

Take it one step further in a world where later down the line, you could also use the same database to achieve gains in efficiency and productivity. For example, schools could have attendance based on FaceID-like software, or checking for train tickets would be more efficient (discounting the occasional case of plastic surgery that alters your appearance significantly enough).

POTENTIAL FOR MISUSE

The underlying assumption for this facial recognition system is that people implicitly trust the government with their faces, which is wrong. Not least because even if you trust this government, you may not trust the one that comes after it. This is especially true when you consider the power that facial recognition databases provide administrations.

For instance, China has successfully used AI and facial recognition to profile and suppress minorities. Who is to guarantee that the current or a future government will not use this technology to keep out or suppress minorities domestically? The current government has already taken measures to ramp up mass surveillance. In December last year, the Ministry of Home Affairs issued a notification that authorized 10 agencies to intercept calls, data on any computer.

WHERE IS THE CONSENT? Apart from the fact that people cannot trust all governments across time with data of their faces, there is also the hugely important issue of consent and absence of legality. Facial data is personal and sensitive. Not giving people the choice to opt-out is objectively wrong.

Consider the fact that once such a database exists, it is will be combined with state police across the country, it says as much in the proposal excerpt mentioned above. There is every chance that we are looking at increased discrimination in profiling with AI algorithms repeating the existing biases.

Why should the people not have a say in whether they want their facial data to be a part of this system, let alone whether such a system should exist in the first place?

Moreover, because of how personal facial data is, even law enforcement agencies should have to go through some form of legal checks and safeguards to clarify why they want access to data and whether their claim is legitimate.

Data breaches would have worse consequences

Policy, in technology and elsewhere, is often viewed through what outcomes are intended and anticipated. Data breaches are anticipated and unintended. Surely the government does not plan to share/sell personal and sensitive data for revenue. However, considering past trends in Aadhaar, and the performance of State Resident Data Hubs goes, leaks and breaches are to be expected. Even if you trust the government to not misuse your facial data, you shouldn’t be comfortable with trusting third parties who went through the trouble of stealing your information from a government database.

Once the data is leaked and being used for nefarious purposes, what even would remedial measures look like? And how would you ensure that the data is not shared or misused again? It is a can of worms which once opened, cannot be closed.

Regardless of where on the aisle you stand, you are likely to agree that facial data is personal and sensitive. The technology itself is extremely powerful and thus, can be misused in the wrong hands. If the government builds this system today, without consent or genuine public consultation, it would be almost ensuring that it or future administrations misuse it for discriminatory profiling or for suppressing minorities. So if you do live in India today, you should be very concerned about what a national facial recognition system can lead to.

This article was first published in The Deccan Chronicle. Views are personal.

The writer is a Policy Analyst at The Takshashila Institution.

Read More

There’s more to India’s woes than data localisation

The personal data protection bill is yet to become a law and the debate is still rife on the costs and benefits of data localisation. It is yet to be seen officially if the government is going to mandate localisation in the data protection bill and to whom it is going to apply. Regardless of whether or not data localization ends up enshrined in the law, it is worth taking a step back and asking why the government is pushing for it in the first place.

For context, localisation is the practice of storing domestic data on domestic soil. One of the most credible arguments for why it should be the norm is that it will help law enforcement. Most platforms that facilitate messaging are based in the US (think WhatsApp and Messenger). Because of the popularity of these ‘free services,’ a significant amount of the world’s communication takes place on these platforms. This also includes communication regarding crimes and violation of the law.

This is turning out to be a problem because in cases of law violations, communications on these platforms might end up becoming evidence that Indian law enforcement agencies may want to access. The government has already made multiple efforts to make this process easier for law enforcement. In December 2018, the ministry of home affairs issued an order granting powers of “interception, monitoring, and decryption of any information generated, transmitted, received or stored in any computer,” to ten central agencies, to protect security and sovereignty of India.

But this does not help in cases where the information may be stored outside the agencies’ jurisdiction. So, in cases where Indian law enforcement agencies want to access data held by US companies, they are obliged to abide by lawful procedures in both the US and India.

The bottleneck here is that there is no mechanism that can keep up with this phenomenon (not counting the CLOUD Act, as India has not entered into an executive agreement under it).

Indian requests for access to data form a fair share, owing to India’s large population and growing internet penetration. Had there been a mechanism that provided for these requests in a timely enforcement through the provision of data. Most requests are US-bound, thanks to the dominance of US messaging, search, and social media apps. Each request has to justify ‘probable cause by US standards.’ This, combined with the number of requests from around the world, weighs down on the system and makes it inefficient. People have called the MLATs broken and there have been several calls for reform of the system.

A comprehensive report by the Observer Research Foundation (ORF) found that the MLAT process on global average takes 10 months for law enforcement requests to receive electronic evidence. 10 months of waiting for evidence is simply too long for two reasons. Firstly, in cases of law enforcement, time tends to be of the essence. Secondly, countries such as India have a judicial system with a huge backlog of cases. 10month-long timelines to access electronic evidence make things worse.

Access to data is an international bottleneck for law enforcement. The byproduct of the mass adoption of social media and messaging is that electronic criminal evidence for all countries is now concentrated in the US.

The inefficiency of MLATs is one of the key reasons why data-sharing agreements are rising in demand and in supply, and why the CLOUD Act was so well-received as a solution that reduced the burden on MLATs.

Countries need to have standards that can fasten access to data for law enforcement, an understanding of what kinds of data are permissible to be shared across borders, and common standards for security.

India’s idea is that localizing data will help with access to it for law enforcement, at least eventually down the line. It may compensate for not being a signatory to the Budapest Convention. It is unclear how effective localisation will be. Facebook’s stored in India is Facebook’s data.

Facebook is still an American company and should still be subject to US standards of data-sharing, which are one of the toughest in the world and include an independent judge assessing the probable cause, refusing bulk collection or overreach. This is before we take into account encryption.

For Indian law enforcement, the problem in this whole mess is not where the data is physically stored. It is the process that makes access to it inefficient. Localisation is not a direct fix, if it proves to be one at all. The answer lies in better data-sharing arrangements, based on plurilateral terms. The sooner this realized, the faster the problems can be resolved. data still

Rohan is a policy analyst at the technology and policy programme at The Takshashila Institution. Views are personal.

This article was first published in the Deccan Chronicle.

Read More

How Pegasus works, strengths & weaknesses of E2E encryption & how secure apps like WhatsApp really are

Pegasus, the software that infamously hacked WhatsApp earlier this year, is a tool developed to help government intelligence and law enforcement agencies to battle cybercrime and terror. Once installed on a mobile device, it can collect contacts, files, and passwords. It can also ‘overcome’ encryption, and use GPS to pinpoint targets. More importantly, it is notoriously easy to install. It can be transmitted to your phone through a WhatsApp call from an unknown number (that does not need to be picked up), and does not require user permissions to get access to the phone’s camera or microphone. All of that makes it a near complete tool for snooping.While Pegasus is able to hack most of your phone’s capabilities, the big news here is that it can ‘compromise’ end to end (E2E) encryption. The news comes at attesting time for encryption in India, as the government deliberates a crackdown on E2E encryption, a decision that we will all learn about more on Jan 15, 2020.Before we look at how Pegasus was able to compromise E2E encryption, let’s look at how E2E encryption works and how it has developed a place for itself in human rights.E2E is an example of how a bit of math, applied well, can secure communications better than all the guns in the world. The way it works on platforms such as WhatsApp is that once the user (sender) opens the app, the app generates 2 keys on the device, one public and one private. The private key remains with the sender and the public key is transmitted to the receiver via the company’s server. The important thing to note here is that the message is already encrypted by the public key before the message reaches the server. The server only relays the secure message and the receiver’s private key then decrypts it. End to end encryption differs from standard encryption because in services with standard encryption (think Gmail), along with the receiver, the service provider generally holds the keys, and thus, can also access the contents of the message.Some encryptions are stronger than others. The strength of an encryption is measured through how large the size of the key is. Traditionally, WhatsApp uses a 128-bit key, which is standard. Here you can learn about current standards of encryption and how they have developed over the years. The thing to keep in mind is that it can take over billions of years to crack a secure encryption depending on the key size (not taking into account quantum computing):Key Size         Time to Crack56-bit                 399 Seconds128-bit               1.02 x 1018 years192-bit               1.872 x 1037 years256-bit               3.31 x 1056 yearsE2E encryption has had a complex history with human rights. One the one side, governments and law enforcement agencies see E2E encryption as a barrier when it comes to ensuring the human rights of its citizens. Examples of mob lynching being coordinated through WhatsApp, such as these, exist around the world.On the other hand, security in communications and the anonymity it brings, has been a boon for people who might suffer harm if their conversations were not private. Think peaceful activists who utilize it to fight for democracy around the world, most recently, Hong Kong. Same goes for LGBTQ activists and whistleblowers. Even diplomats and government officials operate through the seamless secure connectivity offered by E2E encryption.The general consensus in civil society is that E2E encryption is worth having as an increasing amount of digital human communications move online to platforms such as WhatsApp.How does Pegasus fit in?End to end encryption ensures that your messages are encrypted in transit and can only be decrypted by the devices that are involved in the conversation. However, once a device decrypts a message it receives, Pegasus can access that data which is at rest. So it is not the end to end encryption that is compromised, but your devices security. Once a phone is infected, Pegasus can mirror the device, literally record the keystrokes being typed by the user, browser history, contacts, files and so on.The strength of end to end encryption lies in the fact that it encrypts data in transit well. So unless you have the key for decryption, it is impossible to trace the origin of messages as well as the content that is being transmitted. The weakness for end to end encryption here, as mentioned above, is that it does not apply to data at rest. If it were still encrypting data at rest, messages received by users would not be readable.At this point, the question about how secure apps such as WhatsApp, Signal, and Telegram really are, is widely debateable. While the encryption is not compromised, the larger system is, and that has the potential to make the encryption a moot point.WhatsApp came out with an update that supposedly fixed the vulnerability earlier this year, seemingly protecting communications on the platform from Pegasus.What does this mean for regulation against WhatsApp?The Pegasus story comes at a critical time for the future of encryption on WhatsApp and on platforms in general. The fact that WhatsApp waited ~6 months to file the lawsuit against the NSO will not help the platforms credibility on the traceability and encryption debate. This also brings into question the standards for data protection Indian citizens and users should be subject to. The data protection bill is yet to become law. With the Pegasus hack putting privacy front and center, the onus should ideally be on making sure that Indian communications are secure against foreign and domestic surveillance efforts.

Read More