03 April 2017 09:43:30 IST

The battle for privacy and security

How valid are these issues in a world increasingly vulnerable to terrorist attacks?

World over there is continual debate on the relative case for privacy and security. There is an erroneous belief that they cannot coexist. Experience however reveals that the two can blend with ease with a careful application of mind and a spirit of compromise. Those who have taken extreme positions on the subject are equally passionate and articulate. Most of them are at least partially right. The debate is extremely crucial to an expanding cyberspace.

The contentious arguments between pro- and anti-privacy champions had remained somewhat dormant after last year’s tussle between the FBI and the US giant Apple, in which the two mighty organisations fought over the former’s demand that Apple should help them break open a locked iPhone that had been used by a terrorist couple before their attack on a government employee group in San Bernardino, California. Apple had expressed its helplessnesss at that time saying that the passcode was personal to the owner of the phone; even the manufacturer was not privy to it. It also said that opening a back door to facilitate an FBI investigation was a breach of assurance to customers who had been told that their communication channel was foolproof and inviolable. The FBI then got hold of an individual who unlocked the phone. Incidentally, nothing of significance was found.

Hacking the phone

The controversy has resurfaced following the incident near the British Parliament when Khalid Masood killed four persons, including a police constable. The Metropolitan Police found that Masood had sent at least one WhatsApp message before the dastardly act. The Met believes that Masood’s hitherto unidentified contact could help unravel any conspiracy behind the crime.

However, there is a stalemate flowing from WhatsApp’s stand that it is helpless in the matter. It has cited in its defence the technology of end-to-end encryption embedded in the system designed by Open Whisper Systems.

In 2014 the two organisations entered into a partnership whereby end-to-end encryption became a default feature of the instant messaging system. Any message initiated by user A could be read by the addressee B only. Nobody else — including WhatsApp — would ever be able to decipher it. There were no servers in which messages were stored. WhatsApp is a post office-cum-facilitator rather than a storehouse of data. This was security at its tightest, similar to the one guaranteed by Apple. Opening a ‘back door’ for a third party is technically an impossibility and an anathema.

Top security

WhatsApp’s claim is that the protocol guarantees “...confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity”. UK Home Secretary Amber Rudd is backing the Met to the hilt. She convened a meeting of technology firms on March 30 at which she appealed to them to cooperate with law enforcement agencies. The companies agreed to do so. Beyond this there does not seem to have been any qualitative change to the situation, with privacy concerns trumping over any other consideration. No company is learnt to have given any undertaking with regard to encryption.

There is little evidence so far that WhatsApp’s claim of helplessness and foolproof security is either bogus or extravagant. But it begs the question whether such a tight security system is warranted when the terrorist scene is grave. Those who are critical of attempts to dilute the laboriously built security features of WhatsApp allege disproportionate reaction by the government and its security outfits to the misdeeds of a handful of terrorists. They feel that however secure you might make a system, the ingenious terrorist will always manage to find a viable alternative. Clearly, this is a debate without losers or gainers, one in which each side is at least partly right.

(The writer, a former CBI director, is adviser (security) at TCS. The article first appeared in The Hindu BusinessLine.)