As society pushes the limits of technology, the battle between privacy and security is growing more intense. And the consequences are spilling out all over the headlines.
In India, for example, widespread hysteria surrounding rumors of child kidnappings — rumors that spread almost instantaneously via WhatsApp, the country’s dominant messaging system — led to mob lynchings in 2018 that killed at least 18 people.
While the company, owned by Facebook since 2014, has slowed the spread with which these messages can be shared in India, limiting the number of recipients of a shared message from 256 to 5, the encryption used to keep messages private, known as end-to-end encryption, makes it nearly impossible to flag malicious messages.
Dr. Hoda Maleki, assistant professor in the School of Computer and Cyber Sciences, is working with researchers at Boston University to find a way to identify dangerous messages while preserving the privacy of the messages themselves.
With end-to-end encryption, the server passes the message from the sender to the recipient unopened, maintaining the privacy but allowing the viral spread of misinformation. In India, the misinformation centered on child kidnapping and organ harvesting. In Brazil, it allegedly impacted the 2018 presidential elections.
Maleki and the other researchers are looking at the problem from multiple angles to ensure the development of a practical solution.
“If your security solution does not change the application structure dramatically, then they will be more willing to consider it than if we give them a solution that will completely change their platform,” Maleki says. “So we’re looking at two different paths — going with noncryptographic solutions to decrease the amount of computation on the client side, and then using a cryptographic solution on the server side to help the cases that we are suspicious about.”
If a blacklist of false messages could be created, Maleki says, a data structure could be applied and a very compressed set of data could be sent to the client. If the message the client receives falls into this set, it could be sent to the server side for more computations, though the message itself would remain private.
According to Maleki, the complexity of the issues involved is what interests her in cybersecurity research.
“It is about how people look into a technology or a solution — how they can make use of it in a beneficial way and how they can make use of it in a harmful way,” she says.