Upcoming UK internet legislation is based on “magical thinking” that puts everyone’s privacy at risk, the head of secure messaging app Signal has warned.
Meredith Whittaker, Signal’s president, is one of many in the tech world who have warned that the upcoming Online Safety Bill will compromise the privacy of UK citizens. It, along with WhatsApp, have indicated that the current version of the bill could force its app to become impractical in the UK and it could be forced to pull out of the country.
Both signed an open letter, published alongside five other messaging apps, that warned the legislation is “an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws”.
After that letter was published, the UK’s Home Office published a video in which it suggested that the use of security features on WhatsApp and other platforms had made it harder for police to stop child sexual abuse. “The roll out of end-to-end encryption means the light that has shone on these crimes will be switched off,” it said in a tweet.
Ms Whittaker said the video offered “scientifically unsubstantiated claims”. But she said that the video had also “pulled the veil off the intentions behind this bill”, and that it had made clear the legislation “really is attacking encryption”.
“It appears to me that there’s a little bit of desperation – and now they’ve taken the gloves off,” she told The Independent. “And they are saying the quiet part loud, which is that we don’t want more encryption.”
End-to-end encryption is a security technology that ensures that only the sender and recipient of a message are able to read it, and that it is hidden even from the messaging platform that is delivering it. Such encryption is used on most popular messaging platforms, from Apple’s iMessage to Meta’s WhatsApp and Facebook Messenger, as well as Signal.
Messaging apps, security experts and rights experts say that encryption is required to ensure that messages stay safe from hackers and others. But law enforcement and politicians have repeatedly argued that it also protects the messages of criminals, and so must be weakened.
Most recently, that has come in the form of the UK’s Online Safety Bill, which may be passed within months. Clause 110 of that legislation requires that messaging apps scan the content that is sent through them for illegal content, but that is not possible with existing technology since end-to-end encryption means those platforms are unable to scan or see those messages.
That has led WhatsApp, Signal and others to argue that the bill could break end-to-end encryption, since it is not explicitly protected in the bill. They have expressed fears that it could let regulator Ofcom demand that they scan through messages, which they say would “compromise the privacy of all users”.
UK politicians and police have argued that compromise is necessary to ensure that illegal content is not being distributed through online messaging platforms. They have pointed to the vast amount of child sexual abuse material, or CSAM, that is being distributed online.
But Ms Whittaker said that online services were being used as a scapegoat for that abuse – and that the government was failing to pursue more effective strategies, such as funding preventative services and other “scientifically-backed approaches to actually countering abuse”.
“I think there isn’t a human being with a functioning heart alive that isn’t horrified by the spectre of child abuse. It’s an extremely emotionally evocative topic,” she said. “But I think the emotional weight of that subject is not is not met by the rigour of the solution they’re proposing.
“If you look at where does abuse happen, it happens in families. It happens in institutions of trust with people who are generally authority figures trusted by children. It happens in real life. And that’s where interventions need to happen. We cannot de-materialise something as serious and as harmful as abuse to children.”
Ms Whittaker voiced concerns that the new legislation will not only cause problems for users in the UK, but could allow other governments to launch similar measures. She said there is often “copy pasting” between different governments, and that it would only require a weakening of encryption in one country for that same information to be available to other allies.
She restated Signal’s commitment that it would not “undermine or compromise the privacy and safety promises we make to people in the UK, and everywhere else” if they were required to under the new law. That could mean the company could be forced to withdraw from the UK, but it would try and ensure that the service continued to operate if it did.
“When Iran blocked Signal, we understood that the people in Iran who relied on Signal for privacy weren’t represented by their authoritarian government. So what we did is we worked with our community to set up proxies and other means that would do what we could to make sure people in Iran could get access to Signal,” she said.
“So you know, similar with Iran, we will do everything in our power to make sure that people in the UK can also have access to signal and access to the right to privacy.”
Ms Whittaker’s comments came shortly before an article was published in The House magazine that suggested the Conservative Party may not be united behind the new plans. Syed Kamall, who sits in the House of Lords and served as a minister in the Department for Digital, Culture, Media and Sport until late last year, said the legislation could leave citizens at risk.
“The Online Safety Bill is laudable in intent, but raises a number of questions. There is a wide consensus on protecting children from pornography and ensuring that neither they nor vulnerable adults are exposed to illegal content,” he wrote.
“However, while most of us want our daily communications, now conducted almost entirely over the internet, to be secure, an unintended consequence of the bill may make apps more vulnerable to attack or interception by bad actors.”
He said the legislation is not yet a “workable bill” and requires “further close scrutiny and a debate about trade-offs and unintended consequences”. “With so much of our lives conducted online, it may be no exaggeration to say that the UK’s future as a global tech hub and as a safe place to communicate online depends on getting this right,” he added.