Encryption & Key Management , Geo Focus: The United Kingdom , Geo-Specific
WhatsApp, Signal Preview UK Exit Over Threat to Encryption
UK's Online Safety Bill Criticized for Infringing on Private CommunicationsMajor internet chat platforms are urging the United Kingdom government to reconsider a bill intended to decrease exposure to online harms but which opponents say would open to door to massive government surveillance.
See Also: OnDemand | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
Tech rivals Signal and WhatsApp joined forces to warn the British government that the bill "would fundamentally undermine everyone's ability to communicate securely."
WhatsApp head Will Cathcart told The Guardian earlier this year that his company would rather leave the U.K. than comply with the bill. On Tuesday, Signal tweeted, "We will not back down on providing private, safe communications." Signal President Meredith Whittaker told the BBC in 2022 that the organization "would absolutely, 100% walk" if the bill became law. Both apps offer end-to-end encryption, meaning only chat participants can decrypt message content.
The Conservative government's Online Safety Bill would empower U.K. communications regulator Ofcom to order digital chat services to deploy "accredited technology" to identify content tied to terrorism or child sexual exploitation and abuse. It would also impose a duty of care onto chat providers to prevent users from encountering terrorist or child pornography content and minimize the length of time it is present on the service.
"The only way for service providers that offer end-to-end encryption to comply with this duty of care would be to remove or weaken the encryption that they offer," concluded the Internet Society in a 2022 assessment.
Government supporters have said the bill would not require chat apps such as WhatsApp and Signal to compromise end-to-end encryption through backdoors but instead would facilitate law enforcement access to routing metadata, which is not encrypted. They emphasized the need for protections against harmful online content. "The onus for keeping young people safe online will sit squarely on the tech companies' shoulders," wrote Michelle Donelan, then the secretary of state for digital, culture, media and sport, in late 2022 after the Conservative government reintroduced it in amended form.
Security and civil rights groups say the bill should explicitly safeguard end-to-end-encryption and warn that it shouldn't lead to government-instigated client-side scanning in order to sidestep the thorny issue of backdoors but still obtain messages that would otherwise be inaccessible because of encryption.
"Proponents say that they appreciate the importance of encryption and privacy while also claiming that it's possible to surveil everyone's messages without undermining end-to-end encryption. The truth is that this is not possible," states the Tuesday letter from WhatsApp and Signal. Executives from messaging applications Element, Session, Threema, Viber and Wire also signed the letter.
"Those pushing the Online Safety Bill need to understand just how serious providers of our secure messengers are about not doing as it mandates," tweeted Alan Woodward, a computer science professor at the University of Surrey who has advised the government on cybersecurity matters, including its 5G rollout.
The British government is hoping to have its bill go into force next year.
Some critics predict a worst-case scenario if the proposal goes into effect.
"The Online Safety Bill will prevent everybody in the United Kingdom from communication with people overseas," cybersecurity veteran Alec Muffet, a software engineer who previously worked on security at Facebook, wrote in a blog post.
"It will end free movement of digital speech. It will be CyberBrexit," Muffet added.