New Program Can Trace Encrypted WhatsApp Messages

Mayank Varia, cryptographer and computer expert, may have found the solution to allow the sending of secure, confidential and untraceable messages, but still with a way to track threatening messages. Varia is an expert on the societal effect of programs and algorithms; the creation of systems that balance security and privacy with social justice and accountability.

Working with a team of computer scientists from Boston University, he designed the ‘Hecate’ program, named after the Greek goddess of spells and magic, which increases the confidentiality of a secure messaging app, and allowing the tracing of abuse.

The findings of the team will be presented at the 31st USENIX Security Symposium.

‘Our goal in cryptography is to build tools and systems that allow people to get things done safely in the digital world,’ said Varia, Associate Professor of Data Sciences at Boston University. ‘The question at play in our paper is what is the most effective way to build a mechanism for reporting abuse— the fastest, most efficient way to provide the strongest security guarantees and provide the weakest possible puncturing of that?’

Varia is also working on applying this approach to apps other than messaging apps, developing online tools for governments to track wage gaps between genders, and allow victims of sexual assault to report their attackers more safely.

End-to-end encryption, made popular by apps like Signal and WhatsApp, scrambles messages sent on the internet into an unreadable format. The messages are only decrypted when they reach the intended recipient’s phone. This encryption also makes sure that messages sent cannot be traced back to the sender.

‘The goal of these deniable messaging systems is that even if my phone is compromised after we’ve had an encrypted messaging conversation, there are no digital breadcrumbs that will allow an external person to know for sure what we sent or even who said it,’ said Varia.

Amnesty International argued that encryption is ‘an essential protection of everyone’s rights to privacy and free speech,’ and is crucial to counter corruption and challenge governments. However, privacy can be exploited and used for nefarious purposes.

‘There are specific times where this can be a bad thing. Suppose the messages someone is sending you are harassing and abusive and you want to go seek help, you want to be able to prove to the moderator what the message contents were and who said them to you,’ Varia said.

A survey carried out on Israeli elementary, middle and high school students revealed that of the 97% that use WhatsApp, 30% had been bullied on the app. Prosecutors in the United Kingdom have claimed that end-to-end encryption could affect their ability to stop child abuse. Terrorists and extremist groups have used encrypted apps to spread violence.

Hecate supports the right to privacy, while still allowing for accountability. It allows users to deny ever sending a message, but these users can also be reported if they are abusive. The moderator of the app developed a special batch of electronic tokens for each user which is sent with each message of the user. Should the recipient report that message, the moderator will verify the token of the sender and take the appropriate action. This is referred to as asymmetric message franking.

There is however a failsafe. ‘The token is an encrypted statement that only the moderator knows how to read— it’s like they wrote a message in invisible ink to their future self,’ said Varia. ‘The moderator is the one who builds these tokens. That’s the nifty part about our system: even if the moderator goes rogue, they can’t show and convince the rest of the world— they have no digital proof, no breadcrumbs they can show to anyone else.’

While there already exists message franking systems like the one used on WhatsApp, Varia says Hecate is more secure, futureproof and faster.

‘Hecate is the first message franking scheme that simultaneously achieves fast execution on a phone and for the moderator server, support for message forwarding, and compatibility with anonymous communication networks like Signal’s sealed sender. Previous constructions achieved at most, two of these three objectives,’ says Varia.

The team believes that with just a few months of development and testing, Hecate could be ready to be implemented on apps like WhatsApp and Signal. Varia however suggests that companies use Hecate with caution until its potential social impact has been fully investigated.

‘There’s a question of can we build this, there’s also a question of should we build this?’ says Varia. ‘We can try to design these tools that provide safety benefits, but there might be longer dialogues and discussions with affected communities. Are we achieving the right notion of security for, say, the journalist, the dissident, the people being harassed online?’

Varia’s approach to encryption is greatly beneficial to the survivors of sexual abuse. In a collaboration with Callisto, a San Francisco-based nonprofit organization, he created a new secure reporting system for sexual assault, inspired by #MeToo movement.

‘They report their instance of sexual assault into our system and that report kind of vanishes into the ether. But if somebody else reports also being assaulted by the same perpetrator, then—and only then—does the system identify the existence of this match.’

That information is then passed on to a volunteer attorney who works with the survivors on the next steps to take.

‘When we talk about trade-offs between privacy, digital civil liberties, and other rights, sometimes there is a natural tension,’ says Varia. ‘But we can do both: we don’t have to build a system that allows for bulk surveillance, wide-scale attribution of metadata of who’s talking to who; we can provide strong personal privacy and human rights, while also providing online trust and safety, and helping people who need it.’

 

 

By Marvellous Iwendi.

Source: The Brink