Ask any marketing department these days what a good visual shorthand for cybersecurity looks like, and they’ll probably reply with some variation on a lock and key. For stock photography connoisseurs, that means padlocks: padlocks with wires, leaking binary code, or sitting on laptop keyboards one desk away from the ubiquitous and appropriately menacing hacker in a hoodie. Those departments with actual budgets, meanwhile, usually get to upgrade to bank vaults: witness Samsung Knox, by way of an example, depict your average cybercriminal trying to whack his way through to your personal data with a giant hammer. WhatsApp went one further last October, hiring out Piccadilly Circus’ famous billboard for an impressive 3D light show climaxing in – you guessed it – an impenetrable steel safe.
The advert came during a fraught time for the instant messaging giant. A beneficiary of the post-Snowden era when the public embraced free, encrypted messaging apps, WhatsApp now faced the prospect of encryption being undermined by the UK’s Online Safety Bill.
Intended, in part, to thwart the spread of harmful and illegal material across the internet, the legislation won plaudits from content moderation advocates and charities like the NSPCC for the rigour with which the government proposed to eradicate online hate and misinformation. Achieving this, however, seems to rest on building a ‘backdoor’ into the end-to-end encryption (E2EE) that, according to WhatsApp and others, could compromise the digital privacy of the millions of users who aren’t, in fact, trafficking in illegal content.
Unsurprisingly, WhatsApp isn’t happy. In April, the platform threatened to leave the UK altogether if the Online Safety Bill’s encryption provisions passed into law. “We won’t lower the security of WhatsApp,” the firm’s chief, Will Cathcart, told The Guardian. “We have never done that — and we have accepted being blocked in other parts of the world.”
WhatsApp isn’t alone in making such threats. That same month, the president of Signal, Meredith Whittaker, along with five other messaging services, signed an open letter calling on the government to revise its thinking on encryption. The UK, they said, was sleepwalking into a cybersecurity nightmare with a bill that ‘poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copycat laws.’ https://techmonitor.ai/government-computing/online-safety-bill-end-to-end-encryption-whatsapp-signal
Despite these entreaties, the UK government shows no sign of backing down. “We can’t just let thousands of paedophiles get away with it,” Michelle Donelan, the science and technology secretary, told POLITICO in February. “That wouldn’t be responsible or proportionate for a government to do.” That leaves open the possibility that, in time, encrypted messaging apps will exit the UK in droves. Apple has threatened to remove Facetime and iMessage. WhatsApp, meanwhile, is estimated to be used by 79% of online adults in the UK – might it leave, too?
A world without WhatsApp
All signs indicate the answer to that question lies in the affirmative – not least given the practical implications in building a state-approved ‘back door’ into messaging networks. Advocates for the bill argue that it is perfectly possible to give the government a portal into these networks through the use of client-side scanning, wherein message content is automatically compared against a database of known illegal material. Only when the system thinks the message contains prohibited content will it be forwarded to law enforcement.
Critics say that client-side scanning imposed at a national scale will only work on paper. Leaving aside the vast philosophical objections many users are likely to have toward a machine reading all their private missives, such a system is also likely to result in a large rate of false positives.
‘Proponents say that they appreciate the importance of encryption and privacy while also claiming that it’s possible to surveil everyone’s messages without undermining end-to-end encryption,’ reads the open letter signed by Cathcart and Whittaker. ‘The truth is that this is not possible.’
There are also some big cybersecurity concerns. “If you put a backdoor in, that obviously gives the government access, but also anyone else who manages to compromise that backdoor,” explains cybersecurity advisor Chris Cooper. “You’re effectively creating a flaw in the software, and you can pretty much guarantee […] that somebody will eventually find it.”
Jake Moore, a cybersecurity advisor at ESET, argues that this would undermine the services’ entire appeal. Having spent 14 years assisting Dorset Police with digital forensics, Moore says he understands where legislators are coming from, but still thinks their approach toward policing illegal content online is fundamentally misguided. “I know the power of being able to read or intercept a message – it makes the best evidence possible,” he says. “But if we’re going to pick out that one angle, then simply they’re going to use other forms of communication. They would quite simply move victims, unbeknown victims, or victims-to-be onto other platforms.”
It’s not just about the apps’ security principles, but also the practical dilemma of developing new tools just for the UK. For a global app like WhatsApp, security is international. “You’re not just talking about compromising the security for the UK customer,” says Cooper. “If they’re talking to somebody in the US, for example, then you’re also compromising their message as well.”
Even if it were technically possible to build a backdoor for WhatsApp in the UK, there’s also the question internally at the firm as to whether doing so makes commercial sense. Catering for Brexit Britain probably doesn’t carry as much water as close adherence to US or EU regulations, argues Ross Anderson, a professor of security engineering at the University of Cambridge. “Nobody cares at all about different product safety standards that a British government department might care to enact,” he says, especially given that the UK is more or less alone among liberal democracies in contemplating the end of E2EE. “You don’t want to make a separate product for a small national market that’s 1% of the world population.”
How, then, might WhatsApp and Signal’s exit from the UK market play out? Practically speaking, it could arise from a simple ban from Ofcom as a result of non-compliance with the OSB, delivered in the form of a block from UK app stores. Motivated users might just turn to proxies and VPNs, explains Cooper, but these attempts could be thwarted either through new legislation or – if the companies are so inclined – by a ban on UK IP address and area codes by WhatsApp and Signal themselves.
Even if UK customers were able to continue using pre-downloaded apps, they probably wouldn’t be able to get any updates. “That means the apps won’t be secure,” says Moore, “because they’ll be missing the updates and patches that should be there.”
Many businesses would inevitably have to change the way they communicate with their clients and customers. This could even involve a step back towards more traditional methods as they scramble to maintain lines of communication to customers through other messaging platforms, or else in-house the process entirely. It might result in a reversion to “more traditional call centre approaches,” says Cooper. “and you know how hard it is to get through to those.”
Will WhatsApp really leave the UK? Deryck Mitchelson isn’t so sure. “I think it’s likely [the Online Safety Bill] will get watered down,” says the CISO of Check Point Software Technologies. “Encryption, for many years, has sat at the heart of transactions on the internet,” says Mitchelson — warning that the UK’s strategy might stunt its economic development (not to mention its democratic reputation) in the digital age. Encryption, after all, “drives the way we work as a digital economy. And if you start to erode that, in any shape or form, my concern is that you actually start to meddle with probably one of the most important technologies that helps to drive us forward as a digital nation.”
Liberal Democrat Peer Richard Allan, a former lobbyist for Facebook (now Meta), has been one of the most engaged critics of the Online Safety Bill in the House of Lords. In the best case scenario, he wrote in a recent blogpost, Ofcom could work with services like WhatsApp to develop harm reduction plans that don’t compromise core features like encryption. In the worst, however, these services will simply leave the UK if mandated to deploy technologies that would undercut their core brand.
“I think it’s relatively unlikely that Ofcom would call their bluff on this because of the wide use made by the government — including the intelligence community themselves — of WhatsApp and Signal,” says Anderson. “WhatsApp is basically how the country is run,” he says wryly, noting that Matt Hancock, as demonstrated by the trove of more than 100,000 messages leaked to The Telegraph in March, “was running the pandemic on WhatsApp.”
Intelligence operations, too, rely on the encryption offered by apps like Signal. “If Meredith Whittaker were to flick the off-switch so that Signal were no longer available at UK IP Addresses, it would cause considerable damage to intelligence operations — in the UK and beyond,” explains Anderson. “As a strategy of mutually-assured destruction, it’s perhaps of interest to the game theorists, but I suspect it won’t come about.”
The Online Safety Bill will have its third reading in the House of Lords in September, which could provide the kind of amendments needed to give the government — and the opposition — an off-ramp from the controversy surrounding end-to-end encryption. While neither the Conservatives or Labour are keen to openly oppose legislation intended to protect children from serious online harm, changes that weaken or eliminate the legislation’s encryption provisions will likely remove a point of controversy in a bill both parties largely agree on.
After all, argues Moore, there are other, more praiseworthy aspects of the bill that have been obscured by the debate over the future of encryption, like the new powers for regulators to hold social media companies to account for hosting harmful and illegal content. It’s about time that the argument over passage ended so that these measures can be passed into law, he says. “The Online Safety Bill has been going around in circles for many years,” argues Moore. “They’ve just bitten off far too much to chew, and it’s making everything slow down.”