Billions of people around the world use a messaging app equipped with end-to-end encryption, such as WhatsApp, Telegram, or Signal. In theory, end-to-end encryption means that only the sender and receiver hold the keys they need to decrypt their message. Not even an app’s owners can peek in.
In the eyes of some encryption proponents, this privacy tool now faces its greatest challenge yet—legislation in the name of a safer Internet. The latest example is the United Kingdom’s Online Safety Bill, which is expected to become law later this year. Proposed laws in other democratic countries echo the U.K.’s. These laws, according to their opponents, would necessarily undermine the privacy-preserving cornerstone of end-to-end encryption.
On its face, the bill isn’t about encryption; it aims to make the Internet less unpleasant. The bill would give the U.K.’s broadcasting and telecoms regulator, Ofcom, additional policing powers over messaging apps, social-media platforms, search engines, and other services. Ofcom could order providers to take down harmful content, such as hateful trolling, revenge porn, and child pornography, and fine those service providers for failing to comply.
The authorities are “looking for needles in a haystack....Why would they want to vastly increase the haystack by scanning one billion messages a month of everyday people?” —Joe Mullin, Electronic Frontier Foundation
The specific segment of the Online Safety Bill that worries encryption advocates is Clause 110, which entitles Ofcom to issue takedown orders for messages “whether communicated publicly or privately by means of the service.” To do this, the bill obliges services to monitor messages with “accredited technology” that has received Ofcom’s stamp of approval.
Observers believe that there is no way for service providers to comply with Clause 110 takedown orders without compromising encryption. Representatives from Meta (which owns WhatsApp), Signal (which pioneered the Signal encryption protocol that WhatsApp also uses), and five other firms signed an open letter in opposition to the bill:
“The Bill provides no explicit protection for encryption, and if implemented as written, could empower OFCOM to try to force the proactive scanning of private messages on end-to-end encrypted communication services, nullifying the purpose of end-to-end encryption as a result and compromising the privacy of all users.”
What does proactive scanning look like in practice? One example could be Microsoft’s PhotoDNA, which the company says was designed to crack down on images of child pornography. PhotoDNA assigns each image an irreversible hash; authorities can compare that hash to other hashes to find copies of an image without actually examining the image itself.
According to Joe Mullin, a policy analyst at the Electronic Frontier Foundation (EFF), a nonprofit that opposes the bill, services could comply with Clause 110 by mandating that PhotoDNA or similar software run on their users’ devices. While this would leave encryption intact, it would also act as what Mullin calls a “backdoor,” allowing for an app’s owners or law-enforcement agencies to monitor encrypted messages.
In an app that has end-to-end encryption, such a system might work something like this: Software like PhotoDNA, running on a user’s device, might create a hash for each message or each media file a user can see. If the authorities flag a particular hash, an app’s owner could scan the sea of hashes to pinpoint groups or conversations that also hold that hash’s corresponding message. Then, whether voluntarily or under legal obligation, the owner might share that information with law enforcement.
While this method wouldn’t break encryption, Mullin and other privacy advocates still find the idea of client-side monitoring to be unacceptably intrusive.
“Another strong possibility is that to avoid the creation of such backdoors, services will be intimidated away from using encryption altogether,” Mullin believes.
The U.K.’s Department for Science, Innovation and Technology did not respond to a request for comment. However, earlier this month, a spokesperson of a different U.K. government office denied that the bill would require services to weaken encryption.
Privacy concerns everywhere
The U.K. bill isn’t the only one raising privacy advocates’ concerns.
Since 2020, U.S. lawmakers from both major parties have pushed the so-called EARN IT Act. In the name of cracking down on child pornography, the bill would open the (currently closed) door for lawsuits against Internet services who fail to remove such material. The bill does not mention encryption, and its elected backers have denied that the act would harm encryption. The bill’s opponents, however, fear that the threat of legal action might encourage services to create backdoors or discourage services from encrypting messages at all.
In the European Union, lawmakers have proposed the Regulation to Prevent and Combat Child Sexual Abuse. In its current form, the regulation would allow law enforcement to send “detection orders” to tech platforms, requiring them to scan messages, media, or other data. Critics believe that by mandating scanning, the regulation would undermine encryption.
In March, WhatsApp’s boss Will Cathcart said the app would not comply with the bill’s requirements
EFF’s Mullin, for his part, believes that other methods—allowing users to report malicious posts within an app, analyzing suspicious metadata, even traditional police work—can crack down on child sexual abuse material better than scanning messages or creating backdoors to encrypted data.
The authorities are “looking for needles in a haystack,” Mullin says. “Why would they want to vastly increase the haystack by scanning one billion messages a month of everyday people?”
Elsewhere, Russia and China have laws that allow authorities to mandate that encryption software providers decrypt data, including messages, without a warrant. A 2018 Australian law gave law-enforcement agencies the power to execute warrants ordering Internet services to decrypt and share information with them. Amazon, Facebook, Google, and Twitter all opposed the law, but they could not prevent its passing.
Back in Westminster, the Online Safety Bill is just a few hurdles away from assent. But even the bill’s passing probably won’t mean the end of the saga. In March, WhatsApp’s boss Will Cathcart said the app would not comply with the bill’s requirements.
- Controversial Satellite-Messaging Startup Higher Ground Cleared for Takeoff ›
- The Crazy Security Behind the Birth of Zcash, the Inside Story ›
- Twitter’s Direct Messages Is a Bigger Headache Than the Bitcoin Scam ›