Mass use of encrypted messaging apps doesn’t hamper security: Harvard study

Sending text messages securely doesn't require advanced technical expertise anymore. Apps like Telegram, Signal, Surespot, etc -- some of which have been reportedly used by ISIS operatives too -- have made it as easy as downloading an app and going about business as usual. But does a growing uptake of encryption by the masses hinder the job of investigating agencies? A recent study from Harvard University's Berkman Center for Internet and Society says, no.

There has been an increased awareness of online security tools among lay persons in the post-Snowden era. Berlin-based encrypted messaging app Telegram, for example, has over 50 million downloads on Google Play Store alone. Signal, another secure messaging and calling app has over 1 million downloads on Android. These provide end-to-end encryption for messages sent over their network. This means, that the message is as good as under lock and key as it travels from sender to recipient, difficult or impossible to intercept by anyone except the person receiving the message on their own device. Apple's iMessage, which does exactly this on the iPhone, has been a point of contention between the Cupertino-based tech giant and the US government when it comes to surveillance.

Apple has resisted the The US Federal Bureau of Investigation's requests to access the contents of messages shared through the app since early 2015. The FBI argued it needed that data for effective policing, while Apple reasoned that the nature of the encryption was such that a "backdoor" for government access would defeat the purpose, and compromise privacy of its users. The conflict has only intensified after Apple once again resisted FBI's efforts to disable a security feature to unlock an iPhone for the investigation of a terror attack by ISIS sympathisers in San Bernardino.

This isn't the first time the FBI raised concerns about encryption. Back in 2010, its then counsel general Valerie Caproni had expressed apprehensions about law enforcement "going dark" or drawing a blank with lawful surveillance tactics because of these new communication channels. The Harvard study released earlier in February, titled "Don't Panic: Making Progress on the Going Dark debate", cites numerous factors to state the opposite. Chief among these are: the financial unfeasibility of internet companies offering end-to-end encryption of messages on their platform, the growing use of the "internet of things," and the non-encryption of metadata.


The use of secure messaging, just like Skype, Facebook, or Twitter, isn't limited to sharing cat gifs and topical jokes. Services like YouTube and Twitter are engaged in a constant game of whac-a-mole with such accounts allied to terror group ISIS, shutting them down even as new ones spring up. Just last month, the terror organisation launched an encrypted messaging app called Alrawi to evade snooping investigators. Telegram tried damage control by banishing ISIS operatives from its platform. Rajasthan-based Mohd Sirazuddin, arrested in December for ISIS links, also reportedly used the app to stay in touch with handlers.

A senior home ministry official, speaking to on condition of anonymity, said these challenges were not "insurmountable" for an investigating agency. "ISIS operatives have been using encrypted messaging apps like Trillian, Telegram and Surespot. But we have our own ways to handle end-to-end encryption. Different countries have different laws for retaining and disclosing data, which can be obtained by local investigating agencies after following legal procedures," said the official.

The Harvard researchers offer a more detailed explanation: "Although use of encryption may present a barrier to surveillance, it may not be impermeable...encryption does not prevent intrusions at the end points, which has increasingly become a technique used in law enforcement investigations. Encryption typically does not protect metadata, such as e-mail addresses and mobile-device location information that must remain in plaintext to serve a functional purpose. Data can also be leaked into unencrypted media, through cloud backups and syncing across multiple devices."

The study expects the "internet of things" -- an umbrella term used to refer to devices such as microwaves, curtains, doors, and lamps connected to and controllable over the internet -- to drastically alter the surveillance landscape. "The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access," it points out.

A widespread adoption of encryption practices, says Data Security Council of India head Nandkumar Saravade, is actually good for general security. "Flaws in security design are used more by malicious actors than law abiding citizens," says Saravade, pointing out that security breaches and unlawful snooping on citizens and government agencies by non-state actors can be avoided with secure communication protocols.

Comments