WhatsApp, Signal and other messaging service giants have signed a joint open letter criticizing the UK Government’s proposed Online Safety Bill (OSB) for posing risks to “everyone’s privacy and safety.”
At its core the legislation is aimed at forcing tech firms to tackle online abuse, however the letter signatories are concerned the requirement for monitoring such messaging platforms undermines end-to-end encryption (E2EE).
“We don’t think any company, government or person should have the power to read your personal messages and we’ll continue to defend encryption technology,” said a WhatsApp statement. The company argues that parts of the OSB makes “people in the UK and around the world less safe.”
The open letter states: “As currently drafted, the Bill could break end-to-end encryption, opening the door to routine, general and indiscriminate surveillance of personal messages.”
The letter has been signed by:
- Element chief executive Matthew Hodgson
- Oxen Privacy Tech Foundation and Session director Alex Linton
- Signal president Meredith Whittaker
- Threema chief executive Martin Blatter
- Viber chief executive Ofir Eyal
- Head of WhatsApp at Meta Will Cathcart
- Wire chief technical officer Alan Duric
In its current form, the OBS mandates that websites and apps must proactively prevent harmful content in messaging services.
Lisa Forte, partner at Red Goat Cybersecurity told Infosecurity, “To do that they would need to be able to scan all user content. This, at best, means that end-to-end encryption needs to be watered down until its devoid of any substantive protection or it will end up not being used at all.”
She added, “The UK Government argues it is a necessary step to catch criminals in a digital age. Solving crimes is supposed to be hard. That is a core pillar of a free and democratic society. Criminals will likely deploy other encryption services leaving the only people impacted those that are law abiding citizens.”
Read more: UK Adds New Offenses to Online Safety Bill
The concerns of the messaging companies are “completely valid” according to Paul Holland, CEO at Beyond Encryption.
He argued that the OSB in its current guise directly contradicts obligations placed on businesses by the UK GDPR and the Information Commissioner's Office (ICO). Holland concurs with the assessment that the requirement for encryption 'backdoors' undermines end-to-end encryption and “renders it useless.”
Speaking on the issue, Jake Moore, Global Security Advisor at ESET, said: “The security and privacy of millions of people could be put at risk simply to appease a bill that still does not suggest how it will protect the UK. We would simply reverse all the good work we have achieved if we were to allow a backdoor into everyone’s messages.”
A Call for Common Sense
However, Brian Higgins, security specialist at Comparitech, argued that common sense should allow for a compromise on this issue and suggested that the likes of WhatsApp and Signal are too focused on profits and revenue. Higgins also questioned how enforceable the OSB restrictions would actually be.
"Providers of encrypted messaging platforms have long been hiding behind ‘user privacy’ to avoid any attempts to prevent the harms they cause to children, young and vulnerable people by allowing blanket access for predatory and malicious actors,” Higgins said in a statement.
He argued that while these predatory actors represent a very small percentage of users, the resources involved in identifying and removing them as well as supporting prosecution “fly in the face of the operator’s commercial business goals.”
“Common sense should dictate that there is a compromise to be reached here but any concessions would certainly impact on revenues and profits. Unfortunately, cash comes before children for these companies, and they appear to prefer threats over conversations. I’m not quite sure how enforceable the OSB restrictions would be if implemented in their current form, but surely there is a middle ground that lawmakers and operators can reach. The only victims will continue to be consumers if they don’t.” he said.
Despite this, the issue of the OSB has led to companies like Signal and WhatsApp threatening to withdraw services from the UK if the proposed legislation was to go ahead.
“When WhatsApp says it would rather be blocked in the UK than weaken the privacy of encrypted messages, it powerfully shows how serious the issue is,” Moore noted.
Forte argued that the problem poses a huge risk to all UK citizens but especially those engaged in investigative journalism and human rights.
WhatsApp for instance is currently banned in China, North Korea, Syria, Qatar and the UAE. In China, the messaging service has been blocked because parent company, Meta, is unwilling to give the Chinese government permission to moderate messages sent on the service.
Forte said, “Removing the core protections afforded by E2EE will place the UK in an exclusive club of countries that I don't think are particularly aspirational from a privacy or human rights perspective.”
Leveraging network authentication data is one way to solve this issue, according to Holland. “There are avenues available to us that can create safer and more trusted online worlds. Through leveraging network authentication data, we can verify users online and maintain their anonymity. This crowd-authentication can protect children and the vulnerable when online without impacting the online security and privacy of wider society.”
Image credits: guteksk7 / Ink Drop Shutterstock.com