Since 2019, Facebook has been talking about adding end-to-end encryption to all its messaging services. It appears that the government of the United Kingdom would prefer that these plans go no further. The Home Office, the agency responsible for most of the police work done in England and Wales, is slated to deliver a keynote speech on April 19 that will call on the government to increase regulation of the technology. The speech will be accompanied by a report that takes social media and tech companies to task for not doing enough to protect children.
The agency also appears to be endorsing the proposed Online Safety Bill, which would make it compulsory for tech companies to share data about child abuse with the government. The terms of the bill stipulate that services failing to meet prescribed standards of “duty of care” to users could face massive fines and could be blocked from UK access.
UK government opposes end-to-end encryption on messaging platforms
Home Secretary Priti Patel is delivering the keynote speech at a roundtable organized by the National Society for the Prevention of Cruelty to Children (NSPCC) on April 19. Wired UK reports that a draft invitation reveals that Patel’s planned speech will address Facebook’s plans and call for end-to-end encryption to be more strongly regulated by the government.
The core of the argument is that end-to-end encryption makes it too difficult for law enforcement to track criminals on messaging apps, and particularly hampers investigations of child abuse and grooming. While law enforcement agencies generally are not supporters of end-to-end encryption, there is strong public demand for it in messaging apps. Facebook’s messaging services have bled millions of users in recent months to Signal and Telegram, in no small part because those smaller services are perceived as having better security and greater respect for user privacy. WhatsApp does have end-to-end encryption, but also shares a great deal of user data with Facebook. Facebook Messenger has end-to-end encryption as an option (“secret” messages); Facebook has pledged to make it the default state for all messages at some point in the future.
Patel’s speech is slated to be backed up by a report from PA Consulting, a firm that has been working with the Department for Digital Culture Media and Sport (DCMS) on the Online Safety Bill. An early draft of the report indicates that it will frame the issue as one of adult privacy vs child safety, arguing that tech companies and social media platforms cannot possibly make up for the loss of investigative ability that end-to-end encryption will create.
The Online Safety Bill would not ban end-to-end encryption or mandate that backdoors be created for law enforcement, but it would require that services demonstrate that they are meeting a “duty of care” to their users. Those that did not meet this standard, which could be difficult to do if user messages are not visible, could be fined heavily by enforcement agency Ofcom: up to 10% of annual global turnover or £18 million, whichever amount is higher. Ofcom could, in extreme cases, also require that platforms implement automated systems that filter out illegal content.
The NSPCC feels that this stringent bill does not go far enough. The agency has urged the country’s digital secretary to add terms that ban platforms from implementing end-to-end encryption until they can demonstrate that they are capable of protecting children, apparently to be determined by a series of tests developed by Ofcom.
The Home Office additionally told Wired that ” … end-to-end encryption poses an unacceptable risk to user safety and society.” Patel has been an outspoken critic of it since 2019, repeatedly calling on Facebook and the members of the Five Eyes intelligence partnership to put an end to it.
Right to demand for decrypted conversations
Though the Online Safety Bill allows for platforms to continue implementing end-to-end encryption, it would also give the Home Office a means to demand decrypted conversations from technology companies and social networks in cases where a warrant could be obtained. If the bill passes the Home Office would be given the power to issue a Technical Capability Notice (TCN), with which it could demand that platforms cease plans to implement end-to-end encryption while the investigation was ongoing. Platforms would also be legally barred from public discussion of TCNs brought against them. A TCN could be stymied by an existing encryption protocol being too strong; reportedly, WhatsApp is not in danger of being ordered to provide encrypted messages to the government as it uses the Signal protocol for which there is not a “reasonable method” to break or add backdoor access to.
Richard Blech, Founder & CEO of XSOC CORP, points out that an unintended consequence of the Home Office’s push to weaken end-to-end encryption could be an explosion of vulnerabilities. These, ironically, might disproportionately impact members of the government that require heightened privacy and security in carrying out their daily duties: “Surveillance does not correlate to improved security — it actually weakens it. The Communications Assistance for Law Enforcement Act (CALEA) is a 1994 law mandating that phone companies build wiretapping mechanisms into their call switching mechanisms so that the U.S. government could more efficiently conduct domestic surveillance (e.g., “lawful intercept,” or LI). Unfortunately, CALEA caused unintentional vulnerabilities in internet switches made by Cisco. Indeed, when CALEA-compliant switches were assessed by the NSA for use in Department of Defense (DoD) networks, significant vulnerabilities were found in switches used for testing … The vulnerabilities are not just theoretical. Over a 10-month period (and possibly much longer) ending in 2005, the phones of over 100 senior members of the Greek government were bugged due to an LI capability in Ericsson switches used by Vodafone Greece, the country’s largest cellular communications provider. The LI capability was co-opted and exploited by one or more malicious actors.”
