7 September 2023

Has the government really surrendered in its war on WhatsApp?


A wide range of policy wonks, academics, cryptographers, computer scientists, civil liberty activists, lawyers, and security experts have been warning lawmakers for years that the Online Safety Bill poses a threat to privacy. Concerns over the Bill’s handling of private messages have been especially pronounced, and prompted technology experts to meet with lawmakers to convince them to change the Bill ahead of its last lap in the Lords yesterday. 

Section 122 of the Bill is at the heart of the concerns raised by most privacy experts. The provision allows Ofcom to issue notices to online services requiring them to use ‘accredited technology’ to ‘identify [child sexual exploitation and abuse content], whether communicated publicly or privately by means of the service, and to swiftly take down that content’ (emphasis mine).

Services that offer end-to-end encryption such as WhatsApp and Signal are not able to reveal the content of private messages. Both organisations made it clear that they would leave the UK rather than compromise their users’ privacy. For a while, it looked as if the government was going to pass the Bill with Section 122 unaltered. However, recent meetings between lawmakers and technology policy experts seem to have prompted the government to provide some reassurance to the technology sector. 

Mere hours before peers began the Bill’s third reading the Financial Times reported that the government was prepared to issue guidance to allay the concerns about Section 122. Standing in the House of Lords, Parliamentary Under Secretary of State of Department for Culture, Media and Sport Lord Parkinson said that Ofcom would only seek to compel a company to use message scanning technology if such technology was feasible and achieved minimum standards of accuracy. According to the Financial Times, the government conceded that no feasible technology currently exists for encrypted content, something technology policy experts and cryptographers had been telling the government for years. 

Signal President Meredith Whittaker praised the announcement while noting that it did not constitute a ‘final win’. The announcement was cause for some celebration to be sure. That the government has accepted that no current technology is capable of achieving some of the Bill’s aims and has committed to ensuring that such technology will have to meet minimum accuracy standards if it ever emerged is welcome. However, there are good reasons for civil liberty activists to be concerned. 

Lord Parkinson’s guidance is not in the Bill. It does not bind future governments. What reassurance it offers rests on a foundation made of stubborn mathematical truths that render safe breaching of end-to-end encryption unworkable. 

Fortunately, Signal and WhatsApp leadership have not backed down from their commitment to their users. Such commitment suggests that even if a technologically feasible means to breach end-to-end encryption were to emerge Signal and WhatsApp would prepare to leave the UK. 

Those who value civil liberties should welcome that the government finally felt compelled to offer some guidance and limitations related to the scanning of private encrypted messages. But that such a guidance came at such a late hour and is backed up by little more than a promise is concerning. 

Sadly, the encryption debates associated with the Online Safety Bill represent a small fraction of the Bill’s flaws, many of which stem from the Bill’s underlying structure. The Bill is designed to achieve a wide range of ends by empowering a regulator, Ofcom, to police the internet. It does this by adapting crude and blunt requirements that ignore the nuances embedded in the content moderation decisions social media platforms make millions of times a day, which I outlined in more detail in a CPS paper last year

The Bill will become law later this year with most of its most critical flaws included. The government may wish to portray its guidance on private messages as a nuanced way to maintain its goals, but those who value privacy and security should be aware that the government’s offering is toothless and remain vigilant. 

Click here to subscribe to our daily briefing – the best pieces from CapX and across the web.

CapX depends on the generosity of its readers. If you value what we do, please consider making a donation.

Matthew Feeney is Head of Tech at the Centre for Policy Studies.