Signal, WhatsApp oppose law that could force them to scan messages
Several end-to-end encrypted messengers have come together to oppose a proposed UK law they say could kill end-to-end encryption. In an open letter published by WhatsApp and signed by leaders of Signal, Element, Session, Threema, and Viber, they claim that the Online Safety Bill, which is currently going through the UK Parliament, poses “an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world.”
First drafted in 2021, the bill has undergone significant changes, but its main goal has stayed the same. It aims to protect children by requiring “user-to-user services,” including online messengers, to report any known or new content involving child sexual abuse or exploitation to the UK’s National Crime Agency (NCA).
Scan or go bust
Opponents of the bill argue that this means that service providers will have to use some kind of scanning technology to snoop on people’s chats so as not to miss any potentially illegal images, videos or texts. Those companies that refuse to “follow their new duties” could be fined up to £18 million ($22 million) or 10% of their global turnover, while their senior executives could face criminal charges. In “the most extreme cases,” the UK’s online safety regulator, Ofcom, could also require payment processors, advertisers, and Internet service providers to stop working with the non-compliant sites.
While the bill does not specify what kind of detection mechanism companies must use, critics say it is impossible to implement the law without undermining end-to-end encryption (E2EE). When a message is end-to-end encrypted, only the sender and the intended recipient can read it. For the app provider to scan the message, it would have to have access to its contents either before it’s encrypted or after it’s decrypted, making the idea of E2EE moot.
In the the letter, WhatsApp says as much:
The Bill provides no explicit protection for encryption, and if implemented as written, could empower OFCOM to try to force the proactive scanning of private messages on end-to-end encrypted communication services - nullifying the purpose of end-to-end encryption as a result and compromising the privacy of all users.
The letter’s signatories also rejected the argument by the bill’s supporters that it is possible to do both: to protect privacy and allow government-mandated surveillance.
Proponents say that they appreciate the importance of encryption and privacy while also claiming that it's possible to surveil everyone's messages without undermining end-to-end encryption. The truth is that this is not possible.
One of the WhatsApp and co.’s fears is that the bill could trigger a domino effect, prompting other countries to introduce similar legislation: “In short, the Bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws.”
WhatsApp has called for the UK government to “urgently rethink” the bill. The bill is expected to be passed this year, though, there’s no clear timeline as of when it may come into effect.
Will messaging apps abandon the UK?
Faced with the threat of hefty fines and criminal responsibility, several end-to-end encrypted messaging apps have already indicated they would leave the UK for good if there’ll be no changes to the draft.
In an interview with BBC in February this year, Signal’s president Meredith Whittaker said that the app would “absolutely 100% walk [from the UK] rather than ever undermine the trust that people place in us to provide a truly private means of communication.”
WhatsApp, the UK’s favorite messaging app, has also hinted that it would rather face a ban in the country than compromise end-to-end encryption.
The UK government, meanwhile, continues to say that there’s no need to panic, claiming that the requirement to detect child abuse material will not chip away at user privacy. The law, according to UK officials, “will not introduce routine scanning of private communications” as service providers allege, but will be used as “targeted power” only.
Facebook faces backlash over E2EE plans
The UK government insists that the Online Safety Bill “is not a ban on end-to-end encryption, nor will it require services to weaken encryption.” But it makes it clear that it views E2EE as a massive hindrance to law enforcement and discourages service providers from using it. On April 19, two days after WhatsApp published its letter, the Virtual Global Taskforce, a group of law enforcement agencies chaired by the UK’s NCA, condemned Meta for its plans to introduce end-to-end encryption by default in Facebook Messenger and Instagram.
“The announced implementation of E2EE on META platforms Instagram and Facebook is an example of a purposeful design choice that degrades safety systems and weakens the ability to keep child users safe,” reads the statement published by NCA.
The Taskforce, which counts 15 law enforcement agencies, including the FBI, urged Meta and others to “rethink encryption plans.”
Meta, however, has indicated that it has no plans to back off from rolling out the feature. A Meta spokesperson confirmed to ArsTechnica that the company still intends to enable end-to-end by default in Facebook Messenger by the end of this year. For Instagram, the feature may take longer to roll out, they added. They also said that Meta now has safety measures in place to deal with child abuse without having to read private messages.
It’s refreshing to see big industry players put aside their differences and present a united front in the face of legislation that has the potential to disrupt end-to-end encryption, a vital technology that protects our privacy and security online. E2EE ensures that our personal information and private chats are safe from the prying eyes of hackers, spies, criminals and governments. Undermining the protections it provides would leave us vulnerable to surveillance, blackmail, and censorship.
While some may argue that undermining E2EE is a small price to pay for keeping children safe, there are probably better ways to prevent child abuse and exploitation than scanning messages. As a society, we should invest more time and effort in teaching children how to recognize red flags and making sure they’re not afraid to talk to adults about them; explaining to children how the images and videos they post online can be misused; and using tools such as parental controls, filters, and blockers to set age-appropriate settings and restrict access to inappropriate content.