Encryption & Key Management , Geo Focus: The United Kingdom , Geo-Specific

WhatsApp, Signal Preview UK Exit Over Threat to Encryption

UK's Online Safety Bill Criticized for Infringing on Private Communications
WhatsApp, Signal Preview UK Exit Over Threat to Encryption
Image: Shutterstock

Major internet chat platforms are urging the United Kingdom government to reconsider a bill intended to decrease exposure to online harms but which opponents say would open to door to massive government surveillance.

See Also: OnDemand | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR

Tech rivals Signal and WhatsApp joined forces to warn the British government that the bill "would fundamentally undermine everyone's ability to communicate securely."

WhatsApp head Will Cathcart told The Guardian earlier this year that his company would rather leave the U.K. than comply with the bill. On Tuesday, Signal tweeted, "We will not back down on providing private, safe communications." Signal President Meredith Whittaker told the BBC in 2022 that the organization "would absolutely, 100% walk" if the bill became law. Both apps offer end-to-end encryption, meaning only chat participants can decrypt message content.

The Conservative government's Online Safety Bill would empower U.K. communications regulator Ofcom to order digital chat services to deploy "accredited technology" to identify content tied to terrorism or child sexual exploitation and abuse. It would also impose a duty of care onto chat providers to prevent users from encountering terrorist or child pornography content and minimize the length of time it is present on the service.

"The only way for service providers that offer end-to-end encryption to comply with this duty of care would be to remove or weaken the encryption that they offer," concluded the Internet Society in a 2022 assessment.

Government supporters have said the bill would not require chat apps such as WhatsApp and Signal to compromise end-to-end encryption through backdoors but instead would facilitate law enforcement access to routing metadata, which is not encrypted. They emphasized the need for protections against harmful online content. "The onus for keeping young people safe online will sit squarely on the tech companies' shoulders," wrote Michelle Donelan, then the secretary of state for digital, culture, media and sport, in late 2022 after the Conservative government reintroduced it in amended form.

Security and civil rights groups say the bill should explicitly safeguard end-to-end-encryption and warn that it shouldn't lead to government-instigated client-side scanning in order to sidestep the thorny issue of backdoors but still obtain messages that would otherwise be inaccessible because of encryption.

"Proponents say that they appreciate the importance of encryption and privacy while also claiming that it's possible to surveil everyone's messages without undermining end-to-end encryption. The truth is that this is not possible," states the Tuesday letter from WhatsApp and Signal. Executives from messaging applications Element, Session, Threema, Viber and Wire also signed the letter.

"Those pushing the Online Safety Bill need to understand just how serious providers of our secure messengers are about not doing as it mandates," tweeted Alan Woodward, a computer science professor at the University of Surrey who has advised the government on cybersecurity matters, including its 5G rollout.

The British government is hoping to have its bill go into force next year.

Some critics predict a worst-case scenario if the proposal goes into effect.

"The Online Safety Bill will prevent everybody in the United Kingdom from communication with people overseas," cybersecurity veteran Alec Muffet, a software engineer who previously worked on security at Facebook, wrote in a blog post.

"It will end free movement of digital speech. It will be CyberBrexit," Muffet added.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.