LONDON — Britain’s tough new plan to police the internet has left politicians in a stand-off with WhatsApp and other popular encrypted messaging services. Deescalating that row will be easier said than done.
The Online Safety Bill, the United Kingdom’s landmark effort to regulate social media giants, gives regulator Ofcom the power to require tech companies to identify child sex abuse material in private messages.
But the proposals have prompted Will Cathcart, boss of the Meta-owned messaging app, whose encrypted service is widely-used in Westminster’s own corridors of power, to claim it would rather be blocked in the U.K. than compromise on privacy.
“The core of what we do is a private messaging service for billions of people around the world,” Cathcart told POLITICO last month when he jetted in to London to lobby ministers over the upcoming bill. “When the U.K., a liberal democracy, says, ‘Oh, it is okay to scan everyone’s private communication for illegal content,’ that emboldens countries around the world that have very different definitions of illegal content to propose the same thing,” he added.
WhatsApp’s smaller rival, Signal, has also said it could stop providing services in the U.K. if the bill requires it to scan messages — echoing claims from the tech industry that date back more than a decade that they can’t create backdoors in encrypted digital services, even to protect kids online, because to do so opens the products up to vulnerabilities from bad actors, including foreign governments.
“We can’t just let thousands of pedophiles get away with it. That wouldn’t be responsible or proportionate for a government to do,” Science and Technology Secretary Michelle Donelan told POLITICO in February.
Ministers are keen to lower the temperature. But doing so will prove challenging, two former ministers told POLITICO on the condition of anonymity, given the likelihood of pushback from MPs, the complexity of the technology and the emotiveness of the issue.
Easier said than done
Finding a compromise is unlikely to be easy — and the row mirrors similar debates that are underway in the European Union and Australia over just how accountable tech platforms should be for potentially harmful content on encrypted services.
The debate over whether the requirements of the bill can be met while protecting privacy centers around “client-side scanning.”
While leaders at Britain’s National Cyber Security Centre and security agency GCHQ said last July they believe such technology can simultaneously protect children and privacy, other experts dispute their findings.
A raft of cryptographers criticized the technique in a report called Bugs in Our Pockets in 2021 prompting tech giant Apple to abandon plans to introduce client-side scanning on its services. In Australia, the country’s eSafety Commissioner recently published a report highlighting how the likes of Microsoft and Apple had few, if any, mechanisms to track child sexual abuse material, including via their encrypted services.
“This is not only companies really taking a blind eye to live crime scenes happening on their platforms, but they’re also failing to properly harden their systems and storage against abuse,” Australian eSafety Commissioner Julie Inman Grant told POLITICO. “It’s akin to leaving a home open to an intruder. Once that bad actor is inside the house, good luck getting them out.”
Hacking risk
Cybersecurity experts agree the U.K. bill’s demands are incompatible with a desire to protect encryption. They claim that privacy is not a fungible issue — services either have it or they don’t. And they warn that politicians should be wary of undermining such protections in ways that would make people’s online experiences potentially open to abuse or hacking.
“In essence, end-to-end encryption involves not having a door, or if you want to use a postal analogy, not having a sorting office for the state to search. Client-side-scanning, despite the claims of its proponents, does seem to involve some kind of level of access, some kind of ability to sort and scan, and therefore there’s no way of confining that to good use by lawful credible authorities and liberal democracies,” Ciaran Martin, the former chief executive of the government’s National Cyber Security Centre said.
Ministers insist that they support strong encryption and privacy, but say it cannot come at the cost of public safety.
Tech companies should be researching technology to identify child sex abuse before messages are encrypted, Donelan said. But the government also appears to be searching for a way to cool the row, and Donelan insisted the measure would be a “last resort.”
“That element of the bill is like a safety mechanism that can be enacted, should it ever be needed to. It might never be needed because there might be other solutions in place,” she said.
One official in the Department for Science, Innovation and Technology (DSIT), not authorized to speak on the record but familiar with government discussions, said DSIT wanted to find a way through and is having talks “with anyone that wants to discuss this with us.”
Melanie Dawes, Ofcom’s chief executive, told POLITICO that any efforts to break encryption in the name of safety would have to meet stringent rules, and such requests would be made in only the most extreme situations.
“There’s a high bar for Ofcom to be able to require the use of a technology in order to secure safety,” she said.
Lords debate
Peers in the unelected House of Lords, the U.K. parliament’s revising chamber, waded into the issue Thursday.
Richard Allan, a Lib Dem peer who was Facebook’s chief lobbyist in Europe until 2019, led the charge, saying tech companies will feel they’re “unable to offer their products in the UK under the bill.” He said undermining encryption opened the doors to hostile states and accused the government of playing a “high stakes game of chicken” with tech companies.
But Beeban Kidron, a crossbench peer who has been leading much of the work in the Lords around child safety, said although she had some sympathy for Allan’s arguments, Big Tech companies had to do more to protect users’ privacy themselves.
Wilf Stevenson, who is managing Labour’s response to the bill in the Lords, said he was not convinced the government’s plans were “right for the present day, let alone the future.” He added that under the bill “Ofcom is expected to be both gamekeeper and poacher,” with power to regulate tech companies and inspect private messages.
But Stephen Parkinson, who is guiding the bill through the Lords on behalf of the government, defended the legislation. “The bill contains strong safeguards for privacy,” he said, echoing Donelan’s statement that powers to inspect messages were a “last resort” designed to be used only in cases of suspected terrorism and child sexual exploitation.
Convincing ministers
Messaging services including Signal and WhatsApp are hoping for a ministerial climbdown — but few see one coming.
There is little prospect of large swathes of MPs, who will have the final say on the bill, riding to their rescue, according to two former ministers who have worked on the legislation.
“People are scared if they go in and fight over this, even for very genuine reasons, it could be very easily portrayed that they’re trying to block protecting kids,” one former Cabinet minister, a party loyalist, who worked on an earlier draft of the bill, said.
The second former minister said MPs “haven’t engaged with it terribly much on a very practical level” because it is “really hard.”
“Tech companies have made significant efforts to frame this issue in the false binary that any legislation that impacts private messaging will damage end-to-end encryption and will mean that encryption will not work or is broken. That argument is completely false,” opposition Labour frontbencher Alex Davies-Jones, said in a debate last June.
The widespread leaking of MPs’ WhatsApp messages has also undermined perceptions of the platform’s privacy credentials, the former Cabinet minister quoted above suggests.
“If you are sharing stuff on WhatsApp with people that’s inappropriate, there’s a good chance it’s going to end up in the public domain anyway. The encryption doesn’t stop that because somebody screenshots it and copies it and sends it on,” they lamented.
WhatsApp does have one ally in the former Brexit secretary and long-time civil liberties campaigner David Davis, though.
“Right across the board there are a whole series of weaknesses the government hasn’t taken on board,” he told POLITICO of the bill.
And on WhatsApp and Signal’s threats to leave the U.K., Davis thinks a point could be made.
“Well, I sort of hope they do. The truth is their model depends on complete privacy,” he said.
Update: This article has been updated to include comments from the latest House of Lords debate on the Online Safety Bill.