1 March 2023

Are Brits about to lose access to private messaging?


Absent significant and unexpected developments, the Online Safety Bill (OSB) will become law later this year. The Bill, which is currently in the House of Lords, is an ambitious, byzantine, and voluminous piece of legislation that poses a threat to free speech, privacy, and competition. Businesses in the UK and abroad are keeping an eye on the Bill, and some of the best-known encrypted messaging services have announced or dropped strong hints that they will leave the UK if it becomes law. For WhatsApp and Signal to leave the UK would represent an unprecedented retreat of these services from a liberal democracy, which would put the privacy and security of millions of British citizens at risk. That such departures are even possible ought to embarrass lawmakers who still have time to fix the Bill. 

Last week, Signal president Meredith Whittaker told the BBC that the encrypted service ‘would absolutely, 100% walk’ if the OSB becomes law. This is because OSB is currently incompatible with Signal, which provides users with a messaging platform that protects messages with end-to-end encryption (E2EE). 

Whittaker’s comments sound similar to those made by head of WhatsApp Will Cathcart, who has said that WhatsApp is prepared to block the app in the UK in the event that OSB becomes law. Matthew Hodgson, the technical co-founder of the UK-based E2EE messenger service Element, has written about the risks of OSB on encryption and has hinted at Element (whose customers include the UK’s Ministry of Defence and the US Marine Corps) leaving the UK: ‘If the OSB remains in its current state, anyone with an iota of common sense would choose to establish their business elsewhere. Given its progressive digital privacy regulations, relocating within the EU would be a logical choice for many UK tech companies’. 

E2EE prevents the police, intelligence agencies, foreign adversaries, criminals, and providers of E2EE services from intercepting and reading user messages. Even if Signal, WhatsApp, or Element were served a valid law enforcement request for user messages they would only be able to hand over undeciphered gibberish. 

Some readers may wonder why Signal, WhatsApp, and Element are so worried about a bill that is ostensibly concerned with household name social media and search engine giants such as Facebook, Instagram, TikTok, Google, and YouTube. The reason is that OSB’s duties and poorly-considered definitions have combined to envelop a wide range of services and platforms that have nothing to do with social media. 

OSB’s reach is not confined to ‘social media’ companies. Rather, it imposes requirements on ‘user-to-user’ and ‘search’ services. The Bill defines ‘user-to-user’ services as the following: ‘”user-to-user service” means an internet service by means of which content that is generated directly on the service by a user of the service, or uploaded to or shared on the service by a user of the service, may be encountered by another user, or other users, of the service’. 

This definition includes many of the platforms that make headlines and that lawmakers and members of the public complain about: Facebook, TikTok, Twitter, and Instagram. However, it also includes a host of services that are not related to social media such as Wikipedia, Dropbox, and Airbnb. The Government’s own estimate is that 25,000 UK-based businesses would be within scope of the OSB’s duties. 

That the OSB includes E2EE messaging services like WhatsApp and Signal is important because the Bill empowers Ofcom to require services to use technology to search for specific illegal material.

OSB allows Ofcom to require a user-to-user service to ‘use accredited technology’ to identify child sexual exploitation and abuse material (CSEA), prevent users from encountering CSEA, and to take down CSEA whether such material is communicated publicly or privately. It would be impossible for E2EE services to comply with these requirements without breaking their own encryption and compromising the safety and privacy of users. 

Some might argue that techniques such as client-side scanning (CSS) would allow Signal, WhatsApp, Element, and other platforms offering E2EE services to detect and report CSEA material without compromising the privacy and security of law-abiding users. CSS, allows law enforcement agencies to analyse content on a device before encryption or shortly after decryption and compare that content to a database of known illegal content. 

This might sound plausible, but as the Electronic Frontier Foundation has explained, it is not possible to build a CSS system that can only search for CSEA. A group of notable cryptographers and computer scientists have noted that ‘CSS neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be abused.’ Apple announced a plan to implement a CSS system before abandoning it in the wake of widespread criticism from cryptographers and civil liberties groups. 

According to the internet censorship observatory OONI, governments in Iran, China, Cuba, and Uzbekistan have taken steps to block Signal. WhatsApp is banned in China, North Korea, Syria, Qatar and the UAE. It is not hard to guess why governments in these countries fear E2EE. Privacy and free expression are not values authoritarian governments can tolerate. Unfortunately, the UK is poised to join the list of countries where residents cannot access popular E2EE services not because of an authoritarian coup, but because the British government (which pledged to support ‘free speech’ and defend ‘freedom of expression’ in its last general election manifesto) is intent on passing legislation that would cripple E2EE. 

That the OSB is well-intended will mean little to the millions of British citizens, businesses, and residents that will likely lose access to E2EE services as a result of the Bill becoming law. Fortunately, MPs and peers still have time to fix the OSB to ensure that E2EE is protected. Unfortunately, a critical mass of lawmakers seem to have committed to the sunk cost fallacy and are intent on passing OSB, warts and all, just because it has been in the works for years. UK residents who use E2EE services should plan for a time when it is harder to keep their communications secure. 

Click here to subscribe to our daily briefing – the best pieces from CapX and across the web.

CapX depends on the generosity of its readers. If you value what we do, please consider making a donation.

Matthew Feeney is Head of Tech & Innovation at Centre for Policy Studies.