UK flag on digital screen showing onlince safety bill and privacy concerns

Citing Privacy Concerns, WhatsApp, Signal Wage Media Campaign Against UK Online Safety Bill

WhatsApp and Signal, two of the largest privacy-focused messaging apps, have joined forces to petition against the United Kingdom’s proposed Online Safety Bill due to privacy concerns. They are accompanied in this effort by several other smaller privacy apps, such as Viber and Wire, who have signed on to an open letter directed to UK legislators.

First drafted in May 2021, the bill would essentially require that the government be given backdoor access to any end-to-end encryption systems. Private messaging apps obviously see that as an existential threat to their business, and both WhatsApp and Signal have already indicated that they will pull their business from the UK market entirely if the Online Safety Bill ultimately becomes law.

Online safety bill could push apps that rely on encryption out of the UK

WhatsApp head Will Cathcart had already threatened to pull the app from the UK weeks prior to the publication of this open letter, saying that only 2% of its business was in the country and the changes mandated by the Online Safety Bill would jeopardize the other 98%. An April 17 Twitter post from Signal staked out a similar position, stating that country-specific encryption backdoors are untenable and that there cannot be a separate “British internet.”

While the Online Safety Bill does not directly mandate government backdoor access to encrypted messages and files, privacy concerns are centered on the fact that it grants the Office of Communications (Ofcom) the power to demand that an app scan and log private user messages in the interest of assisting government investigations. There would be no way to do this without entirely breaking end-to-end encryption, likely leading to a mass exodus of users from the platform. It would also be very unlikely that this functionality could be safely limited to just the residents of the UK, or any territory with similar laws, without opening the same internal doors to users in other parts of the world.

The UK government position with the Online Safety Bill is that it must essentially be able to break encryption on request to track child traffickers and terrorists. Aside from the general and obvious privacy concerns, critics point out that allowing backdoor government access to encryption endangers journalists working with confidential sources, human rights workers, activists and others in similarly vulnerable positions. It also creates a crack in the overall system that attackers might find a way to exploit.

WhatsApp has already been banned in several countries, including China, for refusing to allow the government some form of backdoor access to user messages. If the UK government continues to push on in spite of privacy concerns, it would join the likes of the UAE and North Korea in the collection of relatively few countries that encrypted messaging apps cannot operate at normal strength in.

Some tech experts, members of government seek compromise on privacy concerns

Since its draft introduction in 2021, the Online Safety Bill has seen numerous changes due to privacy concerns being raised. Initial proposed requirements for moderating and removing “legal but harmful” content were toned down, with platforms instead instructed to give users greater control over what types of content they can elect to see.

WhatsApp, Signal and the other letter signatories say that they want to see the Online Safety Bill revised to consider privacy concerns in this way, rather than scrapped entirely. The bill still faces a long road to passage, with some industry and government experts of the opinion that it would not be likely to become law until at least 2024 and have its terms go into effect until 2025 at the earliest.

Element founder Matthew Hodgson, one of the letter’s signatories, thinks that the bill will ultimately fail. He points out that small businesses, which make up over 99% of those in the UK (and 99.9% if “medium” enterprises are included), are very likely to mount vigorous opposition given how onerous the terms will be for them to comply with. And the criminals will simply shift to alternate methods of encryption that platforms cannot police, or to apps that are based in other countries (such as Russia) that do not even pretend to give a fig about UK law.

The government’s preferred approach would be “client-side scanning,” which it claims does not break encryption. Critics disagree, and in 2021 rampant privacy concerns about the technique forced Apple to back down from plans to implement it for automated scanning of images for markers of known child abuse material. The Online Safety Bill’s current proposal would also require these apps to insert third-party proprietary code prepared by the government to do the scanning, something that nearly all app developers will not react well to.

Rusty Carter, Chief Product Officer at SafeGuard Cyber, sees the bill as a catastrophe waiting to happen that could be avoided with alternative law enforcement approaches: “We are seeing in the UK online safety bill another instance of potential mass surveillance and erosion of security and privacy under the premise of safety. While it is no doubt in the public interest to protect citizens from organized crime and abuse, regulations that are ignorant of, or in opposition of the principles and values of E2EE will ultimately lead to increased vulnerabilities and unintended compromises of privacy and security. Security back doors and centralized key management that would allow decryption of communications from governments and others is fundamentally dangerous and has historically led to devastating consequences resulting from insider threats, vulnerabilities within the service provider organization being exploited by 3rd parties, and corrupt intents (such as mining / selling insights and personal information or metadata to 3rd parties, advertisers, and for political targeting).”

“There are numerous existing ways for public entities to protect citizens and identify threats to public safety that do not lead to dissolution of individual privacy and increased vulnerability to widespread compromise of security. Commercial industries and organizations should also get behind the protection of strong encryption and E2EE communications. With industries ranging from healthcare, financial services, technology, and security / defense relying on secure communications to conduct business, any and every threat to E2EE puts businesses at substantial risk to undetectable exposure and catastrophic loss. Security back doors are non selective and if introduced into products, means that anyone can and will ultimately go through them.  Potential loss and risk to individual citizens, businesses, and stewards of sensitive data and communications abound,” added Carter