Is Facebook’s encryption key a threat to India’s national security

After the announcement, last year, to allow users to login using TOR (The onion router) networks for making communications anonymous, Facebook has again become the pioneer in better security and privacy to combat surveillance. It has now given the option to use the PGP (Pretty good privacy) algorithm to send encrypted messages. The user can send the messages by embedding a private key in it by which the message can be read only if the key is known.

But has it inadvertently compromised national security?

Though it would now be impossible to snoop on others, it is a huge setback for law enforcement as it would now be difficult to keep a check on cyber crimes and terrorist activities carried on via the internet.

“Law enforcement would not be really happy with this move as the PGP algorithm itself was developed as a revolt against the US government’s decision of forcing the service providers to provide the backdoors,” said Vinayak Godse, Senior Director- Data Protection, Data Security of Council of India.

Experts agree that there is no single solution for complete security. Methods have already been demonstrated in the past to circumvent the PGP. One just needs to hack the machine and gain access to the victim’s private key stored in plain text.

“Email by itself is not an authenticated communication. The digitally sound concept of email has still not caught up,” said Rajendran, immediate past president of Cyber Society of India.

So, has it made the hackers more powerful and the victims more vulnerable by hindering legal surveillance?

“Criminals are already well versed with other anonymous services offered from other service providers like off-the-record chat and viber. Yes, this feature is an add-on to their basket,” said Vinayak.

But all is not compromised, experts say. Monitoring an email id would become difficult but if the accused is identified and his computer is seized, forensic analysis may help.

Apart from the security risks involved, users are wary about the compatibility and convenience factors. For advanced users, secure communication is possible. However, for normal users, using the encryption would not be so easy. Besides, Facebook does not have an option to retrieve the encryption key if one loses it. The pass phrase can be reconstructed only if it is on one’s enterprise server with security questions created. Else, one might have to recreate a new one where his old mails might not be readable.

(image credits: tomsguide.com)